Listen to this Post
2025-02-04
In recent months, cybersecurity researchers have uncovered a new malicious trend being exploited by cybercriminals, where infrastructure services from well-known cloud providers like AWS and Microsoft Azure are being abused for illicit activities. This practice, dubbed “infrastructure laundering,” allows threat actors to mask their operations within legitimate services, making detection much harder for cybersecurity defenders. A Chinese-based content delivery network (CDN) called Funnull has been at the center of this scheme, utilizing cloud resources from Amazon and Microsoft to host a variety of criminal websites. The following article summarizes these findings and delves into the implications of this concerning trend.
Summary
Researchers have linked Funnull, a China-based CDN, to a technique known as “infrastructure laundering,” where malicious actors exploit mainstream hosting services like Amazon Web Services (AWS) and Microsoft Azure. By renting IP addresses from these providers, Funnull maps them to criminal websites, using them for scams and fraudulent activities.
Over 1,200 IPs from AWS and 200 from Microsoft have been identified as being used in this way, though Funnull constantly rotates these IPs to evade detection. Despite these IPs being flagged and blocked by the cloud providers, the speed of detection isn’t fast enough to curb the malicious activities. This method complicates detection as the cloud resources are often used alongside legitimate traffic, making it challenging for defenders to block malicious content without disrupting normal service.
Funnull’s operation spans over 200,000 domains, most of which are linked to investment scams, fake trading apps, and money laundering services. They have also been implicated in prior security incidents, including supply chain attacks and data theft attempts. Both AWS and Microsoft are aware of these activities, but their actions to suspend the malicious accounts have struggled to keep pace with the rapid turnover of compromised cloud resources.
What Undercode Say:
The discovery of “infrastructure laundering” marks a significant shift in how cybercriminals are leveraging legitimate cloud resources for malicious purposes. At first glance, it may seem like a relatively simple case of fraud, but upon closer inspection, the implications are much deeper. Funnull’s exploitation of AWS and Microsoft Azure highlights a fundamental challenge in cloud security — the blending of legitimate and malicious traffic.
This form of attack is sophisticated, leveraging trusted cloud providers to obfuscate the true nature of the activity. Since both AWS and Microsoft Azure are commonly used by a wide array of legitimate businesses, it’s nearly impossible for defenders to block or blacklist entire IP ranges without affecting normal users. The attackers have figured out a way to “wash” their malicious infrastructure by cycling through different IPs, staying one step ahead of defenders.
However, the term “infrastructure laundering,” as mentioned in the report, is not entirely accurate. While AWS and Microsoft do provide cloud resources to Funnull’s criminal operations, they are not directly involved in facilitating or “cleaning” these activities. Instead, these cloud services are being exploited by threat actors using stolen credentials to set up fake accounts and carry out their operations. This highlights the importance of maintaining tight security on cloud accounts and the need for multi-factor authentication (MFA) to mitigate these risks.
Despite AWS’s assertion that no immediate risk exists for customers, businesses must stay vigilant. The use of stolen accounts and credentials to circumvent security measures demonstrates how attackers are capitalizing on weak authentication practices. This serves as a stark reminder of the critical need for cybersecurity hygiene, including regular account reviews, activity audits, and employee training to recognize suspicious behavior.
For cloud service providers, this situation highlights the importance of improving detection mechanisms and the speed with which malicious activities are identified and blocked. As the cloud continues to dominate business infrastructure, it is vital for both service providers and their clients to work collaboratively to prevent these kinds of abuses.
Moreover, the sheer scale of Funnull’s operations — with hundreds of thousands of domains being used for scams — emphasizes the growing sophistication of cybercrime networks. These actors are not only running scams but also laundering money through shell websites and gambling platforms that prey on unsuspecting individuals. This nexus of criminal activity is a stark reminder of how the dark web and cybercrime are becoming increasingly integrated with legitimate digital infrastructure.
In conclusion, the findings about Funnull’s abuse of AWS and Microsoft Azure resources highlight the need for continued vigilance in the cloud security space. As attackers find new ways to exploit legitimate services, it is critical for businesses and cloud providers to bolster their defenses, improve monitoring systems, and ensure that the integrity of their networks remains intact. The key to preventing such attacks lies not only in technological solutions but also in fostering a culture of awareness and proactive defense across the entire cybersecurity ecosystem.
References:
Reported By: https://www.darkreading.com/cloud-security/chinese-infrastructure-laundering-abuses-aws-microsoft-cloud
https://www.quora.com/topic/Technology
Wikipedia: https://www.wikipedia.org
Undercode AI: https://ai.undercodetesting.com
Image Source:
OpenAI: https://craiyon.com
Undercode AI DI v2: https://ai.undercode.help
