Exploitation of Cloud Platforms for Cybercrime: FUNNULL’s Infrastructure Laundering Scheme

Listen to this Post

2025-02-05

Cybercriminals have continuously evolved in their methods to bypass security systems, and a recent report by cybersecurity firm Silent Push has uncovered a troubling development: the exploitation of mainstream cloud platforms like Amazon Web Services (AWS) and Microsoft Azure for illegal activities. This practice, known as infrastructure laundering, allows malicious actors to hide their operations behind seemingly legitimate services, making it difficult for defenders to detect and mitigate their efforts. A Chinese Content Delivery Network (CDN) named FUNNULL has been central to this growing threat, using cloud platforms to run cybercrime operations undetected.

Summary

Silent Push’s investigation revealed a significant security flaw: FUNNULL has leased over 1,400 IP addresses from AWS and Microsoft, masking over 200,000 unique hostnames used for malicious activities. These activities include phishing, investment scams, and money laundering schemes, all hosted on shell websites. A major hurdle for cybersecurity teams is FUNNULL’s use of Domain Generation Algorithms (DGAs) to dynamically create hostnames, making it hard to block the threat. Additionally, by employing DNS CNAME records, the CDN obscures its origins, complicating mitigation efforts. Despite AWS and Microsoft suspending fraudulent accounts, FUNNULL rapidly acquires new IP addresses. Silent Push highlighted that weaknesses in account verification and DNS monitoring enable such operations. The investigation also revealed connections between FUNNULL and organized crime groups, such as Chinese Triads, who use the CDN for phishing and fake trading platforms. In 2024, FUNNULL played a role in a supply chain attack, impacting over 110,000 websites globally. The investigation emphasizes the need for enhanced cybersecurity collaboration among cloud providers, law enforcement, and cybersecurity firms to tackle this growing issue.

What Undercode Says:

The discovery of

One of the core problems identified in Silent Push’s report is the inadequate account verification process. FunNULL’s ability to use stolen or fraudulent accounts to rent large quantities of IP addresses exposes weaknesses in cloud platforms’ ability to detect malicious actors before they gain access. This vulnerability highlights the need for stricter account monitoring and verification measures, as well as more advanced AI-driven systems to detect suspicious activity in real-time. While AWS and Microsoft have taken steps to suspend accounts linked to FUNNULL, their rapid rate of acquiring new IP addresses suggests that the current measures are insufficient to stay ahead of cybercriminals.

Moreover, the use of Domain Generation Algorithms (DGAs) by FUNNULL complicates the task of detecting and blocking malicious domains. DGAs are algorithms that generate a large number of domain names based on predefined parameters, making it hard for cybersecurity defenders to anticipate and block these domains manually. Since these algorithms can produce new domain names every time a site is accessed, it allows cybercriminals to operate more effectively, evading traditional detection methods. The reliance on such tactics underscores the need for dynamic DNS monitoring tools that can detect and block the continuous creation of malicious domains.

Another significant concern is the use of DNS CNAME records to obfuscate the origin of malicious traffic. By using CNAME records, FUNNULL is able to link malicious domains to legitimate cloud services like AWS and Microsoft Azure, blending bad traffic with good traffic. This makes it harder for defenders to block or isolate the malicious activity without affecting the performance or availability of legitimate services. The blending of both legitimate and malicious traffic highlights the ongoing challenges cloud providers face in separating malicious operations from genuine user activity.

The connection between FUNNULL and transnational organized crime groups, such as Chinese Triads, further complicates the matter. These groups leverage the CDN’s infrastructure to host fake gambling platforms, phishing sites, and fake trading services. The scale of the operation is alarming, especially considering the links between FUNNULL and high-profile supply chain attacks, such as the 2024 attack on polyfill.io. With over 110,000 websites affected by this attack, it is clear that these criminal networks have the resources and infrastructure to launch attacks on a global scale, potentially causing widespread damage to businesses, individuals, and entire industries.

The implications of Silent Push’s findings are far-reaching, as they expose how easily malicious actors can exploit cloud infrastructure and bypass traditional security measures. It is evident that cloud providers like AWS and Microsoft need to invest more heavily in proactive monitoring, especially around DNS activity, to prevent infrastructure laundering from continuing to thrive. Additionally, there must be better collaboration between cybersecurity firms, law enforcement agencies, and cloud providers to build a more robust defense against this growing threat. As cybercriminals become more sophisticated, the need for real-time, AI-powered threat detection systems that can respond quickly to emerging tactics is more important than ever.

Finally, Silent Push’s call for international collaboration is essential in tackling this issue. Cybercrime is a global issue that requires a global solution. Increased coordination between governments, private companies, and international organizations will be necessary to effectively combat infrastructure laundering and other cybercrime tactics. Without these enhanced efforts, the trend of infrastructure laundering could continue to grow, putting even more critical services and industries at risk.

References:

Reported By: https://cyberpress.org/chinese-cdn-abusing-aws-microsoft-cloud/
https://www.twitter.com
Wikipedia: https://www.wikipedia.org
Undercode AI: https://ai.undercodetesting.com

Image Source:

OpenAI: https://craiyon.com
Undercode AI DI v2: https://ai.undercode.helpFeatured Image