Listen to this Post
2025-02-03
A recent report by cybersecurity research firm Silent Push has uncovered a disturbing new trend in the world of cybercrime: infrastructure laundering. This emerging practice allows threat actors to use mainstream cloud services, such as Amazon Web Services (AWS) and Microsoft Azure, to mask their illicit activities. By renting legitimate IP addresses and mapping them to fraudulent websites, cybercriminals can exploit the trust associated with these popular cloud platforms. Silent Push’s investigation highlights the challenges faced by cloud providers in detecting and halting such activities, while shedding light on the sophisticated methods used by criminals to bypass security measures.
Summary
Silent
The use of cloud services makes it difficult to distinguish between legitimate and malicious traffic, as both share the same infrastructure. FUNNULL, which hosts over 200,000 domains, has been linked to scams and even supply chain attacks. Despite efforts from AWS and Azure to suspend fraudulent accounts, the rapid pace of IP rentals means that these attacks continue to evolve and proliferate.
Silent
What Undercode Says:
The phenomenon of infrastructure laundering represents a significant evolution in the methods used by cybercriminals to conceal their illicit activities. By leveraging the trust and infrastructure of well-known cloud providers, cybercriminals can disguise their malicious intent, making it harder for defenders to identify and stop them. This method is more sophisticated and difficult to detect compared to traditional “bulletproof hosting,” where entire infrastructures are designed to avoid takedowns.
The key difference here lies in the involvement of legitimate hosting services, which are typically associated with reliable, trusted companies like AWS and Microsoft Azure. This creates a significant challenge for cybersecurity teams and service providers, as blocking malicious traffic could inadvertently disrupt the services of legitimate users hosted on the same platforms.
One of the most concerning aspects of infrastructure laundering is the rapid and repeated acquisition of new IPs by threat actors. Once an IP address is identified as part of a criminal operation and flagged for suspension, attackers are quick to acquire new ones, often through fraudulent or stolen accounts. This dynamic means that even if a cloud provider successfully removes malicious accounts, the attackers can quickly regenerate their operations, making it difficult for defenders to keep up.
The FUNNULL CDN is a prime example of how infrastructure laundering can be scaled up. By hosting over 200,000 unique domains, many of which are generated using Domain Generation Algorithms (DGAs), the network can continually adapt to detection efforts. These domains are used to host scams targeting well-known brands, such as Bwin, Chanel, and eBay, which further complicates the task of identifying and mitigating these attacks.
Additionally, the connection between FUNNULL and organized crime groups, including Chinese Triads, shows that infrastructure laundering is not only a technical challenge but also a geopolitical one. The use of cloud services across multiple jurisdictions, including the U.S., Hong Kong, and Southeast Asia, allows cybercriminals to exploit gaps in international cooperation on cybersecurity. This transnational element highlights the need for a coordinated global response to this emerging threat.
Cloud providers such as AWS have been working to combat this issue by identifying and suspending fraudulent accounts. However, they have acknowledged that the complexity of DNS architecture and the rapid pace of new IP acquisitions make it difficult to detect and prevent abuse in real time. AWS has emphasized the damages incurred by the company due to fraudulent activities, stressing that they do not condone such abuse.
While these efforts are valuable, Silent Push argues that cloud providers must do more to track and identify the patterns of abuse that can help uncover illicit IP rentals. One potential solution is improved monitoring of CNAME chains, which could help identify connections between criminal activities and the legitimate IP addresses rented from cloud providers. Additionally, Silent Push advocates for the use of advanced threat intelligence tools, such as their Indicators of Future Attacks (IOFA) feeds, which could help identify malicious activity before it escalates.
The rise of infrastructure laundering represents a growing challenge in the field of cybersecurity. As cybercriminals refine their techniques and cloud providers continue to face difficulties in combating these activities, the need for innovative solutions becomes ever more critical. Better coordination between cloud providers, cybersecurity firms, and law enforcement agencies is essential to addressing this threat and ensuring that the broader digital ecosystem remains secure.
In conclusion, the phenomenon of infrastructure laundering is a wake-up call for the cybersecurity industry. As cloud providers become more deeply embedded in the fabric of the digital world, the risk of abuse by cybercriminals will continue to grow unless there is a concerted effort to adapt detection and prevention strategies. Addressing this challenge will require not only technological innovation but also regulatory changes and enhanced collaboration at the global level.
References:
Reported By: https://cyberpress.org/hackers-abusing-aws-microsoft-azure/
https://www.instagram.com
Wikipedia: https://www.wikipedia.org
Undercode AI: https://ai.undercodetesting.com
Image Source:
OpenAI: https://craiyon.com
Undercode AI DI v2: https://ai.undercode.help
