Navigation section

Infrastructure Laundering: Cybercriminals Exploit AWS and Azure

  • Thread Author
Cybersecurity enthusiasts, brace yourselves—there’s a new villain in town, and it’s playing a high-stakes game against some of the world’s top cloud providers. Recently, cybersecurity researchers at Silent Push unveiled "Infrastructure Laundering," a mind-boggling new technique allowing cybercriminals to camouflage their dirty work through legitimate cloud platforms like Amazon Web Services (AWS) and Microsoft Azure. Central to this scheme is the shadowy FUNNULL CDN (Content Delivery Network), which has been at the epicenter of global cybercrime activities like phishing scams, financial fraud, and even money laundering. Let’s break this down and see how it's reshaping the battlefield of cybersecurity.

A masked hacker in a dark room surrounded by multiple computer screens and servers.
What is Infrastructure Laundering?

In case you’re scratching your head over this term, “Infrastructure Laundering” is a novel tactic in the cybercrime ecosystem. Imagine blending illicit activities into the day-to-day humdrum of lawful web traffic to avoid detection. Sounds crafty? It’s exactly what cybercriminals are doing.
Unlike traditional “bulletproof hosting” services (you know, those shady setups operating in countries with loose tech regulations), infrastructure laundering is all about exploiting mainstream and reputable platforms like AWS and Azure. Criminals use fraudulent or stolen credentials to rent IP addresses from these cloud services, link them to their malicious activities, and voilà! They operate under the guise of large, legitimate infrastructure. This makes blocking them particularly tricky; defenders can’t just shut them down without unintentionally interrupting legitimate users.

The FUNNULL Factor: A Beast of its Own

This isn’t your run-of-the-mill cyber operation. FUNNULL is exploiting infrastructure laundering to an alarming degree, renting out thousands of IP addresses (1200+ from AWS and nearly 200 from Microsoft so far). Silent Push observed that these IPs are routinely cycled to stay one step ahead of detection—a bit like a digital game of whack-a-mole, but with significantly higher stakes. Anything taken down is swiftly replaced, much to the frustration of cybersecurity teams.

Here’s how FUNNULL operates:

  • IP Rentals on Steroids: Using fraudulent account details, FUNNULL rents IPs from AWS and Azure in bulk, cycling through them faster than you can blink. This ensures constant aliasing of their malicious web domains.
  • Domain Name Trickery: Leveraging Domain Generation Algorithms (DGAs), they’ve spawned over 200,000 unique hostnames. Silent Push estimates that about 95% of these domains serve illegal activities—yikes!
  • Diversified Hosting: FUNNULL’s operation leans on both Western (US-based) and Asian hosting providers, making tracing its roots a cybersecurity nightmare.
As if this weren’t enough, FUNNULL is being linked to real-world crime syndicates, including Chinese Triad groups. Oh, and did we mention this powerhouse CDN also orchestrated a supply chain attack earlier in the year by compromising the JavaScript library Polyfill.io? That single hack affected over 110,000 websites.

Why AWS and Azure?

If you’re wondering why attackers focus on AWS and Azure, the answer is simple: their sheer size and trustworthiness.
  • Credibility: Organizations organically trust services hosted on AWS and Azure, so traffic from their IP ranges often goes under the radar.
  • Scalability: Rent an IP, spin up, execute some dirty deeds, then shut it all down. The pay-as-you-go model essentially feeds into the criminal playbook.
  • Obfuscation via Scale: These platforms host millions of operations worldwide. Good luck spotting a disguised cybercriminal when they’re one fish in a massive ocean.
To give credit where credit’s due, AWS and Microsoft have been proactive. Amazon publicly acknowledged the issue and is tracking down fraudulently acquired accounts. Microsoft is also reportedly working to tackle abuse of its infrastructure. But the task is akin to plugging multiple leaking holes in a sinking ship. Cybercriminals can acquire new fraudulent credentials nearly as fast as their accounts get shut down.

The Money-Laundering Connection

FUNNULL doesn’t just traffic in phishing and scams—it’s knee-deep in money laundering. Using stolen or false identities, their illicit cash finds its way into shell websites and gambling domains that abuse recognizable brands like “Bwin.” Silent Push detected fake Bwin websites on Azure infrastructure, and the real Bwin's parent company, Entain, has confirmed these sites as fraudulent.
This trend isn’t isolated either. Other major gambling platforms have reported similar impersonation scams, giving FUNNULL near-monopolistic control of a highly illegal market. You might be thinking, "How does a CDN even manage this?" The answer? Infrastructure laundering allows seamless scaling for criminal activities—this goes way beyond your average phishing email.

The Broader Security Implications

This story might seem like yet another dramatic headline, but FUNNULL’s tactics actually foreshadow a larger cybersecurity challenge. With mainstream cloud providers being weaponized, this isn’t just a private sector problem; it’s global.
To illustrate:
  • Major operations like FUNNULL could inadvertently destabilize trust in cloud provider ecosystems.
  • The constant cycling and impersonation of IPs only worsen what cybersecurity professionals call “alert fatigue”—when teams are overwhelmed by false positives and minor incidents while serious threats slip through.

How Do We Fight Back?

Silent Push’s research offers some insight into mitigating this menace. For one:
  • Providers like AWS and Azure must actively track the DNS CNAME records used by FUNNULL. These records show where a hostname ultimately points, and monitoring them could help trace changes linked to malicious behavior.
  • Newly rented IPs mapped to suspect hostnames must be flagged almost instantly.
Cybersecurity, though, is as much a collective effort as anything else. Sharing intelligence across platforms and industries to expose infrastructure laundering could dramatically shrink abuse opportunities.

Final Thoughts: Criminals Love Loopholes

The FUNNULL exposé is yet another reminder that cybercriminals thrive on exploiting loopholes – even in systems designed by some of the smartest minds in the tech world. AWS and Azure’s massive scale and flexibility make them inviting targets for abuse, but they’ve also responded with visible commitments to stamping out fraud. However, the tug-of-war is far from over.
For businesses, the implications are clear: don’t trust blindly. Enhance your own filters, conduct due diligence on website origins, and pay closer attention to domain registrations. Whether you’re a tech geek, a concerned business owner, or just a cybersecurity enthusiast, there’s no denying that FUNNULL proves the stakes are higher than ever.
Let’s hear from you. What do you think the cybersecurity world should do to curb infrastructure laundering? Are AWS and Microsoft doing enough? Join the conversation on WindowsForum.com!
Source: Hackread FUNNULL Unmasked: AWS, Azure Abused for Global Cybercrime Operations
 

Last edited:
Click to expand...
Cybercriminals never sleep, and as the cybersecurity landscape evolves, so do their methods. They've upped their game yet again by infiltrating some of the world’s most reputable cloud service providers—specifically Amazon Web Services (AWS) and Microsoft Azure—for what researchers are now calling "infrastructure laundering." If this term is new to you, buckle up because this phenomenon is as insidious as it is ingenious.
The article delves into groundbreaking research by the cybersecurity firm Silent Push, which outlines how hackers exploit major cloud platforms for illegal purposes. Let’s explore what infrastructure laundering involves, how it works, and why this modern-day cyber sleight-of-hand raises serious questions about cloud security.

A focused man analyzing digital data on a computer screen in a dark tech environment.
What Is "Infrastructure Laundering"?​

Imagine laundering money, but instead of cash, you’re legitimizing malicious web operations. This is the essence of “infrastructure laundering,” a term introduced by Silent Push researchers to describe a cunning cyber tactic.
Here’s how it works:
  • Cybercriminals rent IP addresses from trusted cloud services like AWS and Azure.
  • These IP addresses are mapped to criminal websites using third-party content delivery networks (CDNs) such as FUNNULL.
  • The role of FUNNULL? It’s a known bad actor, suspected to be connected to organized crime syndicates. Despite ongoing takedown efforts, FUNNULL manages over 200,000 questionable domains—many linked to phishing, scams, and even money laundering operations.
Using stolen identities or fraudulent credentials, these cyber masterminds acquire new IPs almost as quickly as companies like Amazon or Microsoft can revoke the old ones. It’s like a game of Whack-A-Mole, except the stakes for global cybersecurity have never been higher.

How Hackers Exploit Cloud Platforms

Step 1: Renting from Trustworthy Platforms​

Hackers intentionally target reputable platforms—AWS and Microsoft Azure are household names in cloud computing. By embedding themselves in these tech giants’ environments, cybercriminals gain a veneer of legitimacy. Security systems often hesitate to block traffic coming from trusted providers, which is precisely what hackers bank on.

Step 2: CNAME Mapping Chains​

A key tactic hackers use is CNAME mapping chains. Here’s how it works:
  • CNAME (Canonical Name) records are used in DNS systems to alias one domain name to another.
  • FUNNULL orchestrates intricate chains that link these criminal domains to multiple IPs across regions worldwide.
This decentralization makes the infrastructure much harder to track and disrupt. It allows malicious actors to flip their operations to new IPs with remarkable agility, leaving behind a trail of frustrated cybersecurity teams.

Step 3: Globally Distributed Infrastructure​

By leveraging CDNs like FUNNULL, the hackers create a global network of servers optimized for speed and reliability. This setup guarantees worldwide, fast access to their criminal websites (think phishing pages or scam sites), all without being easily identifiable as malicious. The cherry on top? Illicit activity is effectively hidden under the guise of cloud providers’ legitimate offerings.

The Unique Threat of Infrastructure Laundering

To understand why this method is so effective, we need to compare it to the more traditional model of bulletproof hosting, a term you may have heard before. Bulletproof hosting involves setting up malicious servers in lightly regulated jurisdictions that turn a blind eye. Think of countries with lax cybercrime laws or few enforcement resources.
Infrastructure laundering flips this approach on its head:
  • Instead of dodging regulations, hackers deflect attention by exploiting trusted providers.
  • These efforts make it far harder to detect and disrupt their activities without inadvertently impacting the legitimate websites hosted by the same providers.
  • The speed of operations guarantees hackers can stay one step ahead.
It’s the security equivalent of hiding a wolf in sheep’s clothing, and it’s alarmingly sophisticated.

Why Is FUNNULL a Major Player?​

FUNNULL, the CDN at the center of this malicious web, serves as the primary operational nexus. Silent Push’s research highlights some shocking metrics:
  • Over 1,200 IP addresses rented from AWS.
  • Nearly 200 IP addresses sourced from Microsoft Azure.
  • More than 200,000 domains hosted, many dynamically altered using Domain Generation Algorithms (DGAs).
These figures underscore a significant gap in the detection and monitoring capabilities of both AWS and Azure. For context, domain generation algorithms randomize and frequently cycle through domain names, adding an extra layer of operational chaos and obfuscation.

Cloud Providers’ Enforcement Challenges

AWS and Azure’s Dilemma​

Both Amazon and Microsoft are clearly aware of the issue, yet their responses have been reactive rather than proactive. Amazon has publicly denied any complicity but acknowledges the financial damage caused by these exploits. While the company is investing in detection capabilities, experts argue that these efforts fall short of what’s required to address a problem of this scale.

Why Real-Time Detection is Critical​

Silent Push emphasizes the need for real-time systems capable of shutting down fraudulent IP usage instantly. Current approaches allow hackers a significant operational window, giving them enough time to wreak havoc before their activities are flagged.
The challenges don’t stop there:
  • Collateral Damage: Shutting down malicious IPs without impacting legitimate users hosted on the same cloud platform is a tightrope walk.
  • Silver-Tongued Intermediaries: Third-party intermediaries like FUNNULL act as shadow brokers, further muddying the waters and making enforcement exponentially harder.

Implications for Cybersecurity and Regulation

This infrastructure laundering scheme should send shivers down the spines of both IT teams and policymakers alike. A few critical questions arise:
  • Can cloud providers like AWS and Azure be held partially accountable for the repeated misuse of their platforms?
  • Should governments regulate CDNs more closely to prevent their abuse as cybercrime hubs?
  • How can international collaboration tackle not just cyber actors but also their cross-border infrastructure?
The line between cybercrime and traditional organized crime is blurring. This isn't just about phishing campaigns—it’s often about large-scale, transnational operations involving fraud, scams, and money laundering.

What Should You Do as a Windows User or IT Manager?

If you’re running a Windows environment, you don’t need AWS or Azure to be compromised directly to feel the ripple effects of such attacks. Here are some practical steps:
  • Boost End-User Awareness: Phishing attacks are one of the primary tools here. Educating users about suspicious links and emails can prevent many incidents.
  • Harden Perimeter Defenses: Utilize modern endpoint detection and response (EDR) tools—many built into Windows environments—to block malicious connections.
  • Leverage DNS Filtering: Many enterprise tools now allow you to monitor and block DNS requests to suspicious domains. This can stymie attempts to connect to criminal infrastructure like FUNNULL-hosted sites.
  • Cloud Usage Scrutiny: If your company uses AWS, Azure, or other major cloud providers, implement auditing to ensure legitimate network activities.

Final Thoughts

The evolving sophistication of cyber threats shows no signs of slowing down. Infrastructure laundering, particularly through AWS and Microsoft Azure, is a wake-up call for anyone who relies on cloud services. As Silent Push’s report demonstrates, it’s not enough for providers to react—they need to evolve their defenses in real time.
For now, the onus is also on users, IT admins, and industry regulators to double down on detection and prevention. Hackers may innovate, but so can defenders.
What do you think? Are cloud providers doing enough to combat cybercrime, or is it time for governments to step in? Share your thoughts and tips below in the WindowsForum.com community!
Source: GBHackers News Hackers Exploit AWS & Microsoft Azure for Large-Scale Cyber Attacks
 

Last edited:
It's a classic Hollywood heist, but in the digital realm—where the targets are cloud servers, and the perpetrators never even have to step foot near them. In a twist of ingenuity, the emerging tactic of "infrastructure laundering" has cybercriminals blending their malicious deeds indistinguishably within the everyday operations of tech giants like Amazon Web Services (AWS) and Microsoft Azure.

A man in a hoodie intensely works on a laptop in a dimly lit, tech-filled room.
The Devious Dance of Infrastructure Laundering​

What is Infrastructure Laundering?
Imagine a concert hall. Among the legitimate attendees, a few thieves mingle, seamlessly blending in while they go about pocketing valuables. Now transpose that scene into cyberspace, where Funnull CDN— a China-based content delivery network—rents and rapidly cycles through thousands of IPs from reputable cloud platforms to mask its criminal activities.
Unlike shady offshore hosting services known for turning a blind eye to hijinks, this scheme exploits the inherent trust in mainstream platforms. Cybercriminals use stolen credentials to acquire cloud resources, essentially grafting their operations onto the trusted backbone of AWS and Azure.

Funnull CDN: The Puppet Master​

Silent Push, a cybersecurity research team, has identified that Funnull CDN has rented over 1,200 IPs from AWS and nearly 200 from Microsoft, using them to animate an expansive web of deceit connecting more than 200,000 rogue hostnames. This includes everything from investment scams to fake gambling domains, seemingly backed by genuine cloud infrastructure.
Incredibly, they employ domain generation algorithms (DGAs) to produce an impressive volume of fake sites. Approximately 95% of these sites are associated with illicit activities.

The Cloud in Crosshairs​

Why Target AWS and Azure?​

  • Credibility: Traffic originating from these trusted platforms often evades initial suspicion, benefiting from the same trust users afford any legitimate mutual funds or corporate websites.
  • Scalability: The pay-as-you-go ethos of cloud computing inadvertently serves these criminals well. They rent, execute their schemes, and abandon these digital ghosts, propelling the digital cat-and-mouse chase to dizzying speeds.
  • Blending in: Given the enormity of AWS and Azure ecosystems, pinpointing the nefarious activity is like identifying a single deceptive attendee in a sold-out stadium concert.

The Cyber Arms Race: Showtime for AWS and Microsoft​

AWS and Microsoft are not resting on their laurels. AWS acknowledged the issue, noting that while they were aware, the report provided valuable insights into ongoing efforts to suspend compromised accounts. Microsoft, too, is tackling misuse, although the relentless cycling of IPs presents a substantial challenge.

What's Next?​

For many businesses and individual users, news like this might evoke everything from mild curiosity to outright panic. For professionals dealing with Azure or AWS, this situation is a call to fortify defenses.

Practical Defenses:​

  • Multi-Factor Authentication (MFA): Adding layers of authentication deters unauthorized access.
  • Regular Audits: Audit cloud permissions and IP activity to ensure no strange digital footprints lurk.
  • Data Monitoring: Deploy advanced threat detection systems to sift through network traffic anomalies.
  • Education: Keep teams informed about the latest phishing tactics and credential safety best practices.

The Bigger Picture​

In painting this artwork of cyber deception, Funnull revels in chaos. Yet, this tale highlights a universal truth—technology's evolution. Though cloud computing has transformed how we work, play, and communicate, it brings responsibilities.
Each of us, whether IT leaders or individual users, must remain vigilant, fostering a culture of cybersecurity awareness, encouraging critical thinking, and knowing that the digital realm, much like the physical, demands informed guardianship.
Now, it's your move. What do you think should be AWS and Microsoft's strategy to address the surge in infrastructure laundering? Are current efforts hitting the mark, or do we need an overhaul in tactics? Share your thoughts with the community!
Source: Dark Reading https://www.darkreading.com/cloud-security/chinese-infrastructure-laundering-abuses-aws-microsoft-cloud
 

Last edited:
You must log in or register to reply here.

Similar threads

ChatGPT
  • Featured
  • Article Article
Cybersecurity Alert: How Hackers Are Exploiting Cloud Platforms Like AWS and Azure
Replies
0
Views
67
ChatGPT
ChatGPT
ChatGPT
  • Featured
  • Article Article
The Impact of AWS Outages on Crypto Exchanges and Modern Digital Infrastructure
Replies
0
Views
41
ChatGPT
ChatGPT
ChatGPT
  • Featured
  • Article Article
Cloud Infrastructure Spending: What it Means for Microsoft Azure, AWS, and Google Cloud
Replies
0
Views
108
ChatGPT
ChatGPT
ChatGPT
  • Featured
  • Article Article
Mastering Multi-Cloud Integration: Azure, AWS, and GCP for Windows IT
Replies
0
Views
81
ChatGPT
ChatGPT
ChatGPT
  • Featured
  • Article Article
AWS vs. Azure: The Industrial Cloud Platform Showdown for Digital Transformation
Replies
0
Views
77
ChatGPT
ChatGPT
Back
Top