Perfect utilization of the pandemic time is visible from how researchers at Unit 42, the global threat intelligence team of cybersecurity solutions company Palo Alto Networks, have gathered more than 300 malware samples. Network traffic from all known Prisma Cloud environments was scanned using 20 suspicious domains and IP addresses, and a total of 453,074 unique network connections were identified between 1 March and 7 April 2020.

Seven IP (internet protocol) addresses, “which gave a high likelihood of positive malware communications with cloud infrastructure,” were detected by Unit 42. There is a likelihood that these communications “contain malicious transmissions to and from infrastructure known to host COVID-19 related operations.”

Researchers could not grab the opportunity to view network traffic or to receive malware samples that prevented them from verifying whether the 27 identified cloud-based organizations have been compromised.

Unit 42 is about to use one of the Palo Alto Networks’ malware-based threat intelligence research called AutoFocus. It enables researchers to monitor malware samples that have established network connections to domains that contain one of the following given keywords: “Corona,” “COVID,” “Pandemic,” or “Virus.” Further analysis of metadata of network connection was performed and was compared to the network traffic that Palo Alto Networks’ Prisma Cloud maintains.


Talking about the AutoFocus tool, it could churn out more than 446 malware samples fitting COVID-19-themed domain network connections. Unit 42 researchers indicated that the examples provided 20 unique domains and hard-coded IP addresses, which could potentially serve or maintain the malware infrastructure.

Palo Alto Networks is of the view that organizations should utilize security tools based on the needs of the cloud environment.

Its Palo Alto Networks Next-Generation Firewalls allow each next-generation firewall, both hardware and VM-Series, to block network traffic to known IP addresses and domains, and block any of the recorded malware samples.

Threat intelligence

Prisma Cloud combines the ability of AutoFocus to monitor cloud endpoints, detect malicious actions, and alert critical vulnerabilities. Using validated threat intelligence, Prisma Cloud can track and secure single, hybrid, and multi-domain environments.

Cloud Native Security Platforms provide organizations the ability to deliver secure cloud infrastructure while using cloud hallmarks, security automation, secure scalability, manageability, and secure on-demand resourcing at the same time.

Any Infrastructure-as-Code (IaC) prototype used in both development and production environments should be tested before its use for misconfigurations and vulnerabilities.

According to the Unit 42 Cloud Threat Report: Spring 2020, more than 42% of all IaC templates pulled from GitHub contain at least one misconfiguration or vulnerability.