86,600+ malicious COVID-19 domains registered in seven weeks

From 9 March 2020 to 26 April 2020, Unit 42 analyzed 1.2 million newly registered domain names containing keywords related to the COVID-19 pandemic. 86,600+ domains were classified as “risky” or “malicious”, spread across various regions.

The United States had the highest number of malicious domains (29,007), followed by Italy (2,877), Germany (2,564), and Russia (2,456). Hong Kong and China recorded a combined 931 malicious domains.

Unit 42 researchers found 56,200+ newly registered domains were hosted on Amazon Web Services (70.1%), Google Cloud Platform (24.6%), Microsoft Azure (5.3%), and Alibaba (less than 0.1%).

Some malicious domains resolve to multiple IP addresses, and some IP addresses are associated with multiple domains. This many-to-many mapping often occurs in cloud environments due to the use of content delivery networks and can make IP-based firewalls ineffective.

Other notable findings:

On average, 1,767 malicious COVID-19 themed domains were created every day.
Of the 86,600+ domains, 2,829 domains hosted in public clouds were found as risky or malicious
- AWS: 78.2%
- GCP: 14.6%
- Azure: 5.9%
- Alibaba: 0.3%
Adversaries are disguising malicious activities such as phishing and malware delivery in the cloud.
The higher price and more rigorous screening/monitoring process is likely making malicious actors less willing to host malicious domains in public clouds.

Threats originating from the cloud can be more difficult to defend because malicious actors leverage the cloud resources to evade detection and amplify the attack. Organizations need to have a cloud-native security platform and a more advanced application-aware firewall to secure their environments.

Companies like Palo Alto Networks continuously monitors malicious newly registered domains. Prisma Cloud and VM-Series both provide layer-7 firewall capabilities in cloud environments to prevent malicious activities from these domains.