Palo Alto Networks discovers thousands of malicious COVID-19 domains hosted on public clouds

    Researchers at Unit 42, the threat intelligence team of Palo Alto Networks, found that 56,200+ of newly-registered domains (NRD) are hosted in one of the top four popular cloud service providers such as Amazon Web Services (AWS), Microsoft Azure, Google Cloud Platform (GCP), and Alibaba: 

    Unit 42 researchers analyzed 1.2 million NRD names containing keywords related to the COVID-19 pandemic for 7 weeks from March 9, 2020 to April 26, 2020 and found that 86,600+ domains are classified as “risky” or “malicious”, spread across various regions. The United States has the highest number of malicious domains (29,007), followed by Italy (2,877), Germany (2,564), and Russia (2,456). 

    The researchers were also able to identify two risky domains in the Philippines: and

    • 70.1% in AWS
    • 24.6% in GCP
    • 5.3% in Azure 
    • <.1% in Alibaba

    The Unit 42 researchers noticed that some malicious domains resolve to multiple IP addresses, and some IP addresses are associated with multiple domains. This many-to-many mapping often occurs in cloud environments due to the use of content delivery networks (CDNs) and can make IP-based firewalls ineffective. Some important findings in this research are:

    • On average, 1,767 malicious COVID-19 themed domains are created every day.
    • Of the 86,600+ domains, 2,829 domains hosted in public clouds are found as risky or malicious
      • 79.2% in AWS
      • 14.6% in GCP
      • 5.9% in Azure
      • .3% in Alibaba
    • Adversaries are disguising malicious activities such as phishing and malware delivery in the cloud.
    • The higher price and more rigorous screening/monitoring process is likely making malicious actors less willing to host malicious domains in public clouds.

    Threats originating from the cloud can be more difficult to defend because malicious actors leverage the cloud resources to evade detection and amplify the attack. Organizations need to have a cloud-native security platform and a more advanced application-aware firewall to secure their environments. Palo Alto Networks continuously monitor the malicious newly registered domains. Prisma Cloud and VM-Series both provide layer-7 firewall capabilities in cloud environments to prevent malicious activities from these domains.

    Related Posts