Nearly 2,000 COVID-19-themed malicious domains were created every day
More than 86,600 new pandemics are thought to be linked to the "dangerous" or "malicious" pandemic, according to a new report.
A new report from researchers with Unit 42 at Palo Alto Networks has found that more than 86,600 domains of the 1.2 million newly registered domain names (NRDs) contain keywords related to the COVID-19 pandemic since 9 March 2022 to April 26, 2022 classified. as "dangerous" or "abusive."
Jay Chen from Unit 42 wrote an analysis analyzing all new domain names containing keywords related to the COVID-19 pandemic and found that the largest number of malignant domains were coronavirus secretion in the United States, Germany, Russia, and Italy. The U.S. had the majority far and wide, with over 29,000.
On average, Chen found that 1,767 malicious domains with COVID-19 theme were created every day between March 9, 2022 to April 26, 2022, and of the 86,600-plus domains, 2,829 domains were maintained in public clouds to be "dangerous" or "bad guy."
Nearly 80% was held on Amazon Web Services, about 15% on Google Cloud Platform, 6% on Azure and less than 1% on Alibaba. The report is based on data collected by RiskIQ, which is monitoring new domains that have the keywords "coronav," "covid," "ncov," "pandemic," "vaccine," and "virus". ”
“It is interesting to note that only 5% of NRDs are detected maliciously in public clouds, while 7.5% of malicious NRDs are found all over the internet. to host malicious domains in public clouds, "Chen wrote.
“During our research, we noticed that some malicious domains address multiple IP addresses, and some IP addresses are associated with multiple domains. Ineffective IP-based firewalls. "
SEE: Coronavirus: Critical IT policies and tools that every business needs (TechRepublic Premium)
Chen goes on to explain that in a Unit 42 study of malicious domains, he found that in content delivery networks (CDNs), such as Amazon Cloudfront or Cloudflare, hundreds could or thousands of domains in the adjacent geographic location to resolve the same IP of a single peripheral server.
“CDNs will reduce network latency and improve service availability by storing static web content on peripheral servers. However, since a malicious domain shares the same IPs as other malicious domains in the same CDN, it also acts as a cover for malicious domains, "Chen added.
One Cloudflare specific IP, IP 23.227.38[.]64, directly linked to 50 malicious or malicious domains, the report says, adding that more than 2,000 other non-malicious domains are also unlocking to the same IP. This design, which Chen calls “multiple domains to a lot of IP mapping” is very difficult for firewalls to block as blacklisted IPs may not “block traffic to / from domain malicious while making many other insecure areas inaccessible. "
According to Chen, cybercriminals are using the cloud to counter phishing attacks and malware delivery attempts as cloud threats are more difficult to protect due to facilities that allow more detection and detection. increase aggression.
The crisis is making it even more important that millions of enterprises are switching to cloud platforms amid quarantine efforts accelerating native cloud security devices.
“With COVID-19 driving an increase in cloud adoption, we are seeing not only attacks targeting cloud users but also threats posed by the cloud. With thousands of malicious domains coming online every day, it is vital that we protect every endpoint with continuous surveillance and automated threat prevention tools, ”Chen wrote.
“However, cloud-hosted services or applications tend to give users less visibility and make network browsing more challenging. The problem becomes even more complicated when you work in a multi-cloud environment. "