Header Ads

Breaking News

COVID-19 attack campaigns target hardest hit regions, research shows

Attackers continue to exploit people’s fears about the COVID-19 pandemic to increase the success rate of their malicious campaigns, including in the enterprise space. New research from security companies shows that cybercriminals are focusing their attacks on countries and regions that were hit hardest by the coronavirus and on industry verticals that are under major economic pressure.

With many employees now working from home, often from personal devices, the risk of malware infections and credential compromises is significantly higher. Companies should take steps to ensure that remote access to their corporate applications and data is carefully monitored, follows least privilege principles and is done from secure devices using multi-factor authentication (MFA).

A surge in COVID-19-related domains

According to a new report from Palo Alto Networks, over 1.2 million domain names containing keywords related to the COVID-19 pandemic have been registered between March 9 and April 26. Of those, more than 86,600 were classified as risky or malicious with high concentrations hosted in the United States (29,007), Italy (2,877), Germany (2,564) and Russia (2,456). On average, 1,767 new malicious COVID-19 themed domains are being created every day.

“During our research, we noticed that some malicious domains resolve to multiple IP addresses, and some IP addresses are associated with multiple domains,” the Palo Alto researchers said. “This many-to-many mapping often occurs in cloud environments due to the use of content delivery networks (CDNs) and can make IP-based firewalls ineffective.”

CDNs reduce latency and improve website performance by directing website visitors to their nearest regional edge server. Those edge servers deliver cached versions of the sites, which takes the load off their origin servers. Attackers can take advantage of this performance enhancing behavior for cover, hiding their malicious websites among legitimate ones and making it harder for defenders to block them. That’s because blacklisting the IP address of a CDN edge server in a firewall will also block non-malicious domain names that point to the same server.

Another consequence of using CDNs and cloud-based hosting services is that domain names are configured with multiple DNS A records that point to several IP addresses. This is done for redundancy but also to direct computers to the nearest server when they perform DNS lookups. This, too, makes it hard to block malicious websites by IP address, since they can point to different ones depending on the client’s geolocation.

Copyright © 2020 IDG Communications, Inc.

Source Link

No comments