What public clouds are coronavirus-themed threats hiding in?

What public clouds are coronavirus-themed threats hiding in?

Of over 86,600 malicious new domains, 2,829 were found in public clouds

Credit: ID 101297509 © Nataliia Mysik |

Over 1,700 malicious coronavirus-themed domains are created every day, new research has found, and while the vast minority are being hosted in public clouds, they’re more likely to slip by some of the less-complex firewalls.

This is according to research conducted by Palo Alto Networks' threat intelligence team Unit 42, which analysed 1.2 million newly registered domain (NRD) names with keywords relating to the coronavirus pandemic, from 9 March to 26 April.

Of these, over 86,600 domains were categorised as “risky” or “malicious” according to Palo Alto Networks’ URL filtering efforts and augmented by its AutoFocus product, the WHOIS domain database and IP geolocation.

Most of the malicious domains were hosted in the US with 29,007 domains, followed by Italy with 2,877, Germany with 2,564 and Russia with 2,456, according to a blog post by Jay Chen, senior cloud vulnerability and exploit researcher at Unit 42. In comparison, Australia held only 534 malicious domains.

The vast majority of the malicious domains contained malware, at 79.8 per cent. Phishing attempts were next at 20 per cent, and then command and control (C2) malware made up the last 0.2 per cent.

The vast minority of the malicious domains were also found to be hosted in public clouds, at 2,829. Of these, most were hosted by Amazon Web Services (AWS) at 79.2 per cent. Google Cloud Platform (GCP) had 14.6 per cent, Microsoft Azure had 5.9 per cent and Alibaba had just 0.3 per cent.

Chen hypothesised that higher prices and stringent screening and monitoring processes were likely the reasons so few malicious domains were being hosted in public clouds.

However, the threat from domains in public clouds shouldn't be underestimated.

"Threats originating from the cloud can be more difficult to defend because malicious actors leverage the cloud resources to evade detection and amplify the attack,” Chen said.

The analysis conducted by Unit 42 found in some cases that multiple domains could resolve to a single IP address and a single domain could be associated with multiple IP addresses.

As both scenarios involve multiple connections, malicious actors can skirt IP blacklisting from layer-3 firewalls and could render safe domains unreachable in the process, while stronger layer-7 firewalls may be able to separate the bad domains from the good ones, Chen said.

He explained that the first scenario typically occurs when domains are hosted in a content delivery network (CDN), like Amazon Cloudfront or Cloudflare.

“In a CDN, hundreds or thousands of domains in the nearby geographical location may resolve to the same IP of an edge server,” Chen said.

“CDNs reduce network latency and improve service availability by caching the static web content on edge servers.

“However, because a malicious domain shares the same IPs as other benign domains in the same CDN, it also acts as a cover for malicious domains.

“In our analysis, a Cloudflare IP 23.227.38[.]64 is associated with more than 150 risky or malicious domains. E.g., covid-safe[.]shop, cubrebocascovid[.]com, www.covidkaukes[.]lt, protection-contre-le- coronavirus[.]com. In the same dataset, more than 2,000 other benign domains also resolve to the same IP.”

Meanwhile, the second scenario may be the domain having a set of redundant hosts which all serve the same content, or it may also be in a CDN, Chen said.

“If a domain has multiple redundant hosts, a DNS will hold multiple A records for this domain,” he said.

If a domain is hosted in a CDN, the domain can resolve to different IP addresses based on the client's location. The IP of the closest edge server is always returned when a client queries DNS servers for this domain.

“In our analysis, the domain covid19-fr.johanrin[.]com resolves to 28 different IPs where each IP belongs to an Amazon CloudFront edge server. E.g., 52.85.151[.]68, 99.84.191[.]82, 13.249.44[.]82, 54.192.30[.]118.”

This research is the latest in a series of coronavirus-themed cybersecurity alerts.

Previous cybersecurity warnings preying on the fears of COVID-19 include scammers hijacking the Microsoft Office 365 and Adobe brands, text message scams, impersonation scams of local companies and international organisations, and fake antivirus software claiming to protect users from the biological virus.

Follow Us

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags palo alto networksUnit 42



Show Comments