Security experts release curated lists to block COVID-19 threats

Thousands of experts and researchers from round the world, including Australia and New Zealand, who have joined forces to collaborate and share information on cyber security have released a network blocklist to help stop attacks abusing the COVID-19 pandemic.

Known as the Cyber Threat Coalition (CTC), the security researchers have released an initial version of curated data sets that anyone can use to halt COVID-19 related cyber crime.

The downloadadble blocklist is vetted by the CTC to help avoid false positives. 

Currently, data sets are populated with domains and uniform resource locators (URLs) used by criminals such as ransomware extortionists and scammers to prey on people, businesses and governments.

Lists of internet protocol addreses and hashes have not yet been released.

The Asia Pacific Network Information Centre's security specialit Adli Wahid explained to iTnews that the blocklists can be used for several purposes.

These include the popular Pi-Hole security device that can act as a domain name system (DNS) sinkhole to prevent access to malicious sites.

It can also be used in large DNS deployments with the Berkeley Internet Name Domain (BIND) server, with administrators setting up special zones to ensure that malicious sites either do not resolve for users, or redirect to a landing page that warns they are harmful, Wahid said.

Wahid said the lists are used by the Quad9 nonprofit public domain name resolution service operated by IBM, Packet Clearing House and Global Cyber Alliance, which is free for everyone to use to block threats.

Users who operate threat intelligence platforms such as the open source Malware Information Sharing Platform (MISP) can get feeds with the blocklist, Wahid said.

The MISP feeds can be used to create intrusion detection system (IDS) rules for applications such as Snort, to detect and block attacks.

People hunting the criminals could also make use of the lists, Wahid said.

"Another community that can use the blocklist include researchers who try to find who are behind the attacks, and who try to detect patterns in the data to reveal for example domain generation algorithms (DGAs) which helps defenders predict how malicious sites are registered, and prevent this from happening," Wahid said.

While the data is vetted to prevent false positives, Wahid hopes that in the future the lists will have time and date stamps on them that show when they were added.

This would be helpful for security information and event managment (SIEM) and analytics purposes, as researchers could focus on just a subset of data delineated by time, Wahid suggested.