Palo Alto Networks discovers 2,500+ malicious COVID-19 domains hosted on public clouds

COVID-19: Cloud Threat Landscape

By: Jay Chen

Unit 42 researchers found 56,200+ of the NRDs are hosted in one of the top four popular cloud service providers (CSPs), such as Amazon Web Services (AWS), Microsoft Azure, Google Cloud Platform (GCP), and Alibaba:

Executive Summary

 Unit 42 researchers analyzed 1.2 million newly registered domain (NRD) names containing keywords related to the COVID-19 pandemic from March 9, 2020 to April 26, 2020 (7 weeks). 86,600+ domains are classified as “risky” or “malicious”, spread across various regions , as shown in Figure 1. The United States has the highest number of malicious domains (29,007), followed by Italy (2,877), Germany (2,564), and Russia (2,456). While the researchers were only able to identify two risky domains in the Philippines: covid19qpass.hopto.org and fcovid.ph.

  • 1% in AWS
  • 6% in GCP
  • 3% in Azure
  • <.1% in Alibaba

During our research, we noticed that some malicious domains resolve to multiple IP addresses, and some IP addresses are associated with multiple domains. This many-to-many mapping often occurs in cloud environments due to the use of content delivery networks (CDNs) and can make IP-based firewalls ineffective. Some important findings in this research are:

  • On average, 1,767 malicious COVID-19 themed domains are created every day.
  • Of the 86,600+ domains, 2,829 domains hosted in public clouds are found as risky or malicious
    • 2% in AWS
    • 6% in GCP
    • 9% in Azure
    • .3% in Alibaba
  • Adversaries are disguising malicious activities such as phishing and malware delivery in the cloud.
  • The higher price and more rigorous screening/monitoring process is likely making malicious actors less willing to host malicious domains in public clouds.

Threats originating from the cloud can be more difficult to defend because malicious actors leverage the cloud resources to evade detection and amplify the attack. Organizations need to have a cloud-native security platform and a more advanced application-aware firewall to secure their environments. Palo Alto Networks continuously monitor the malicious newly registered domains. Prisma Cloud and VM-Series both provide layer-7 firewall capabilities in cloud environments to prevent malicious activities from these domains.

Figure 1. 86,600+ malicious domains related to COVID-19 were registered in seven weeks.

COVID-19 Themed Domain Names

The COVID-19 related domains studied in this research were obtained from the RiskIQ dataset. The dataset keeps track of the newly observed domains that contain keywords related to COVID-19, including “coronav”, “covid”, “ncov”, “pandemic”, “vaccine,” and “virus.” Between March 9th to April 19th, 1.2M domains were registered with one of these keywords. 86,607 domains are categorized as risky or malicious by Palo Alto Networks URL Filtering. We enriched the dataset using the Palo Alto Networks URL Filtering, AutoFocus, WHOIS database, and IP geolocation. Note that due to the size of the dataset, we were unable to individually verify the relationship between each domain and the COVID-19 pandemic.

Figure 2 describes the number of NRDs containing each keyword and the number of these NRDs observed every week. Figure 3 illustrates the types of malicious domains identified in the dataset. On average, 1,767 malicious COVID-19 related domains are created every day. Figure 1 visualizes where the malicious domains are hosted. The United States has the highest number of malicious domains (29,007), followed by Italy (2,877), Germany (2,564), and Russia (2,456).

Figure 2. Newly registered domains containing COVID-19 related keywords from March 9, 2020 to April 26, 2020.

Figure 3. Three types of malicious activity identified by Palo Alto Network URL Filtering

COVID-19 NRDs in Public Clouds

When focusing on the cloud-hosted domains, 56,212 of the NRDs are hosted in one of the top 4 cloud service providers, AWS, Azure, GCP, or Alibaba. 39,494 (70%) of these domains are hosted in AWS and only 61 (0.1%) of the domains are hosted in Alibaba. Palo Alto Networks identified 2,829 cloud-hosted NRDs classified as “risky” or “malicious.” Figure 4 shows the distribution of NRDs across the 4 CSPs. The left plot is the distribution of all cloud-hosted NRDs, and the right plot is the distribution of “malicious” NRDs in public clouds. Note that Alibaba does not appear in the plot due to its low percentage (< 0.5%). It is interesting to see that only 5% of the NRDs are found malicious in public clouds, while 7.5% of NRDs are found malicious in the entire internet. We speculate that the higher price and more rigorous screening/monitoring process may make malicious actors less willing to host malicious domains in public clouds. Note that researchers did not investigate why a large volume of NRDs were hosted on AWS as compared to other prominent CSPs. Nothing discovered during the analysis indicated fundamental vulnerability.

Figure 4. Distribution of NRDs in public clouds.

During the analysis on cloud-hosted malicious domains, we noticed that multiple domains may resolve to a single IP, and a single domain may be associated with multiple IPs. The first scenario often occurs when the domains are hosted in a CDN, such as Amazon Cloudfront or Cloudflare. In a CDN, hundreds or thousands of domains in the nearby geographical location may resolve to the same IP of an edge server. CDNs reduce network latency and improve service availability by caching the static web content on edge servers. However, because a malicious domain shares the same IPs as other benign domains in the same CDN, it also acts as a cover for malicious domains. In our analysis, a Cloudflare IP 23.227.38[.]64 is associated with more than 150 risky or malicious domains. E.g., covid-safe[.]shop, cubrebocascovid[.]com, www.covidkaukes[.]lt, protection-contre-le-coronavirus[.]com. In the same dataset, more than 2,000 other benign domains also resolve to the same IP.

 

In the second scenario, when a single domain resolves to multiple IPs, the domain may have a set of redundant hosts all serving the same content, or the domain may again be hosted in a CDN. If a domain has multiple redundant hosts, a DNS will hold multiple A records for this domain. If a domain is hosted in a CDN, the domain can resolve to different IP addresses based on the client’s location. The IP of the closest edge server is always returned when a client queries DNS servers for this domain. In our analysis, the domain covid19-fr.johanrin[.]com resolves to 28 different IPs where each IP belongs to an Amazon CloudFront edge server. E.g., 52.85.151[.]68, 99.84.191[.]82, 13.249.44[.]82, 54.192.30[.]118.

This many-to-many domain to IP mapping makes it difficult to block malicious domains by IP addresses. A blacklisted IP in a layer-3 firewall may fail to block the traffic to/from a malicious domain while unintentionally making many other benign domains unreachable. A more intelligent layer-7 firewall is necessary to inspect the domain names in the application layer and selectively pass or block sessions.

Conclusion

Cyber threats are evolving rapidly and leveraging real-world events to deceive victims. With COVID-19 driving a surge in cloud adoption, we see not only attacks targeting the cloud users but also threats originating from the cloud. With thousands of malicious domains coming online every day, it is imperative to protect every endpoint with continuous monitoring and automatic threat prevention tools because cloud-hosted applications and services are exposed to the same threats as non-cloud endpoints. The problem becomes even more complicated when working in a multi-cloud environment. Due to the complexity of cloud management, user-induced misconfigurations lead to the most security incidents. Cloud Native Security Platforms (CNSPs) help organizations monitor and secure resources across multiple cloud providers, workloads and hybrid cloud environments.

Palo Alto Networks customers are already protected from these threats by: