By: Jay Chen
Unit 42 researchers analyzed 1.2 million newly registered domain (NRD) names containing keywords related to the COVID-19 pandemic from March 9, 2020 to April 26, 2020 (7 weeks). 86,600+ domains are classified as “risky” or “malicious”, spread across various regions, as shown in Figure 1. The United States has the highest number of malicious domains (29,007), followed by Italy (2,877), Germany (2,564), and Russia (2,456).
Unit 42 researchers found 56,200+ of the NRDs are hosted in one of the top four popular cloud service providers (CSPs), such as Amazon Web Services (AWS), Microsoft Azure, Google Cloud Platform (GCP), and Alibaba:
● 70.1% in AWS
● 24.6% in GCP
● 5.3% in Azure
● <.1% in Alibaba
During our research, we noticed that some malicious domains resolve to multiple IP addresses, and some IP addresses are associated with multiple domains. This many-to-many mapping often occurs in cloud environments due to the use of content delivery networks (CDNs) and can make IP-based firewalls ineffective. Some important findings in this research are:
- On average, 1,767 malicious COVID-19 themed domains are created every day.
- Of the 86,600+ domains, 2,829 domains hosted in public clouds are found as risky or malicious.
○ 79.2% in AWS
○ 14.6% in GCP
○ 5.9% in Azure
○ .3% in Alibaba
- Adversaries are disguising malicious activities such as phishing and malware delivery in the cloud.
- The higher price and more rigorous screening/monitoring process is likely making malicious actors less willing to host malicious domains in public clouds.
Palo Alto Networks continuously monitor the malicious newly registered domains. Prisma Cloud and VM-Series both provide layer-7 firewall capabilities in cloud environments to prevent malicious activities from these domains.
COVID-19 Themed Domain Names
The COVID-19 related domains studied in this research were obtained from the RiskIQ dataset. The dataset keeps track of the newly observed domains that contain keywords related to COVID-19, including “coronav”, “covid”, “ncov”, “pandemic”, “vaccine,” and “virus.” Between March 9th to April 19th, 1.2M domains were registered with one of these keywords. 86,607 domains are categorized as risky or malicious by Palo Alto Networks URL Filtering. We enriched the dataset using the Palo Alto Networks URL Filtering, Autofocus, WHOIS database, and IP geolocation. Note that due to the size of the dataset, we were unable to individually verify the relationship between each domain and the COVID-19 pandemic.
Figure 2 describes the number of NRDs containing each keyword and the number of these NRDs observed every week. Figure 3 illustrates the types of malicious domains identified in the dataset. On average, 1,767 malicious COVID-19 related domains are created every day. Figure 1 visualizes where the malicious domains are hosted. The United States has the highest number of malicious domains (29,007), followed by Italy (2,877), Germany (2,564), and Russia (2,456).
COVID-19 NRDs in Public Clouds
Palo Alto Networks identified 2,829 cloud-hosted NRDs classified as “risky” or “malicious.” Figure 4 shows the distribution of NRDs across the 4 CSPs. The left plot is the distribution of all cloud-hosted NRDs, and the right plot is the distribution of “malicious” NRDs in public clouds. Note that Alibaba does not appear in the plot due to its low percentage (< 0.5%). It is interesting to see that only 5% of the NRDs are found malicious in public clouds, while 7.5% of NRDs are found malicious in the entire internet. We speculate that the higher price and more rigorous screening/monitoring process may make malicious actors less willing to host malicious domains in public clouds.
In a CDN, hundreds or thousands of domains in the nearby geographical location may resolve to the same IP of an edge server. CDNs reduce network latency and improve service availability by caching the static web content on edge servers. However, because a malicious domain shares the same IPs as other benign domains in the same CDN, it also acts as a cover for malicious domains. In our analysis, a Cloudflare IP 23.227.38[.]64 is associated with more than 150 risky or malicious domains. E.g., covid-safe[.]shop, cubrebocascovid[.]com, www.covidkaukes[.]lt, protection-contre-le-coronavirus[.]com. In the same dataset, more than 2,000 other benign domains also resolve to the same IP.
In the second scenario, when a single domain resolves to multiple IPs, the domain may have a set of redundant hosts all serving the same content, or the domain may again be hosted in a CDN. If a domain has multiple redundant hosts, a DNS will hold multiple A records for this domain. If a domain is hosted in a CDN, the domain can resolve to different IP addresses based on the client’s location. The IP of the closest edge server is always returned when a client queries DNS servers for this domain. In our analysis, the domain covid19-fr.johanrin [.]com resolves to 28 different IPs where each IP belongs to an Amazon CloudFront edge server. E.g., 52.85.151[.]68, 99.84.191[.]82, 13.249.44[.]82, 54.192.30[.]118.
With thousands of malicious domains coming online every day, it is imperative to protect every endpoint with continuous monitoring and automatic threat prevention tools. However, cloud-hosted services or applications usually give users less visibility and make network monitoring more challenging. The problem becomes even more complicated when working in a multi-cloud environment. Cloud Native Security Platforms (CNSPs) help organizations monitor and secure resources across multiple cloud providers, workloads and hybrid cloud environments.
Palo Alto Networks customers are already protected from these threats by:
- Prisma Cloud
- Palo Alto Network URL Filtering