Unit 42 discovers over 300 COVID-19-themed malware in public cloud environments

Researchers at Unit 42, the global threat intelligence team of cybersecurity solutions company Palo Alto Networks, identified more than 300 malware samples taking advantage of the COVID-19 pandemic. Network traffic from all known Prisma Cloud environments was queried using these 20 suspicious IP addresses and domains and a total of 453,074 unique network connections were identified between March 1 and April 7, 2020.

Unit 42 said it found seven IP (internet protocol) addresses “which gave a high likelihood of positive malware communications with cloud infrastructure.” There is a possibility that these communications “contain malicious transmissions to and from infrastructure known to host COVID-19 related operations.”

The researchers did not get the chance to view the network traffic or receive malware samples which prevent them from verifying if the 27 identified organizations using cloud environments were compromised.

Unit 42 Report: 98% of IoT device traffic is unencrypted

Cybersecurity firm found 569% growth in malicious site registrations related to pandemic

Unit 42 utilized one of Palo Alto Networks’ malware-based threat intelligence research called AutoFocus. Through this, the researchers monitor malware samples that established network connections to domains that contained at least one of the following keywords: “Corona”, “COVID”, “Pandemic”, or “Virus.” Upon further analysis of the metadata of the network connections, the researchers compared to the network traffic Palo Alto Networks Prisma Cloud maintains.


The tool churned out more than 446 malware samples fitting COVID-19-themed domain network connections. Unit 42 researchers said the samples provided 20 unique domains and hard-coded IP addresses that could potentially serve or maintain the malware infrastructure.

Palo Alto Networks advises organizations to use security tools according to the needs of their cloud environments.

Its Palo Alto Network Next-Generation Firewalls allow each next-generation firewall, both hardware and VM-Series, to block network traffic to the identified IP addresses and domains, as well as block any of the malware samples listed within the report.

Threat intelligence

Prisma Cloud combines AutoFocus with its ability to monitor cloud endpoints, detect malicious actions, and alert upon critical vulnerabilities. Prisma Cloud is able to monitor and protect single, hybrid, and multi-cloud environments using proven threat intelligence.

Cloud Native Security Platforms offers organizations the ability to deliver secure cloud infrastructure while simultaneously using the hallmarks of cloud, security automation, secure scalability, manageability, and secure on-demand resourcing.

Every Infrastructure-as-Code (IaC) template used within both development and production environments should be scanned for misconfigurations and vulnerabilities prior to its use. According to the Unit 42 Cloud Threat Report: Spring 2020, more than 42% of all IaC templates pulled from GitHub contain at least one misconfiguration or vulnerability.

1 reply »