Unit 42, the threat intelligence arm of Palo Alto Networks, said recently that more than 86,600 domains classified as “risky” or “malicious”, spread across various regions.
The organisation analysed 1.2 million newly registered domain names containing keywords related to the conronavirus pandemic from March 9, 2020 to April 26, 2020.
Hong Kong and China recorded a combined 931 malicious domains, according to Unit 42.
The United States had the highest number of malicious domains (29,007), followed by Italy (2,877), Germany (2,564), and Russia (2,456), Unit 42 added.
Researchers from the organisation found that more than 56,200 newly registered domains were hosted on Amazon Web Services (70.1%), Google Cloud Platform (24.6%), Microsoft Azure (5.3%), and Alibaba (less than 0.1%).
Some malicious domains resolve to multiple IP addresses, and some IP addresses are associated with multiple domains, said Unit 42.
“This many-to-many mapping often occurs in cloud environments due to the use of content delivery networks and can make IP-based firewalls ineffective,” said Jay Chen, researcher at Unit 42.
Other major findings according to Unit 42:
● On average, 1,767 malicious COVID-19 themed domains were created every day.
● Of the 86,600+ domains, 2,829 domains hosted in public clouds were found as risky or malicious
- AWS: 78.2%
- GCP: 14.6%
- Azure: 5.9%
- Alibaba: 0.3%
● Adversaries are disguising malicious activities such as phishing and malware delivery in the cloud.
● The higher price and more rigorous screening/monitoring process is likely making malicious actors less willing to host malicious domains in public clouds.
Threats originating from the cloud can be more difficult to defend because malicious actors leverage the cloud resources to evade detection and amplify the attack, Unit 42 said.
Organisations need to have a cloud-native security platform and a more advanced application-aware firewall to secure their environments, the organisation advised.