Recent investigations have uncovered a malicious strategy termed "infrastructure laundering," where cybercriminals exploit prominent cloud services like Amazon Web Services (AWS) and Microsoft Azure. This tactic involves renting IP addresses from these providers and mapping them to fraudulent websites, creating a complex challenge for cybersecurity defenses.

Unveiling the Infrastructure Laundering Tactic

Researchers from Silent Push have identified the China-based Funnull content delivery network (CDN) as a key player in this scheme. Funnull has been found to rent over 1,200 IP addresses from AWS and nearly 200 from Microsoft. These IPs are used for malicious purposes and are frequently changed to evade detection.

Challenges in Detection and Mitigation

One of the primary difficulties in combating this tactic is the blending of malicious and legitimate web traffic. This makes it challenging for hosting providers to block access without affecting genuine users. The use of major cloud providers complicates the situation further, as blocking large IP ranges can disrupt essential web services.

  • IP Address Rotation: Funnull continuously acquires and discards IP addresses, making it difficult for defenders to keep up.
  • Legitimate Traffic Masking: The use of reputable cloud services masks malicious activities, complicating detection efforts.

Funnull's Extensive Scam Network

Funnull CDN hosts over 200,000 unique hostnames, with approximately 95% generated through domain generation algorithms (DGAs). These domains are linked to various scams, including fake investment schemes and fraudulent trading applications.

Money Laundering and Trademark Abuse

The network's activities extend to money laundering services on shell gambling websites, which misuse trademarks of well-known casino brands. This adds another layer of complexity to the malicious operations.

Cloud Providers' Response and Ongoing Investigations

AWS has acknowledged the findings and confirmed that it has been actively suspending accounts linked to Funnull's activities. The company disputes the term "infrastructure laundering," arguing it inaccurately implies AWS is complicit in legitimizing illicit activities.

Microsoft is also investigating the reported activities, while Silent Push continues to monitor and analyze related threats. Businesses are advised to review their cloud accounts to prevent unauthorized access and potential exploitation.

Recommendations for Businesses

  • Account Security: Implement multifactor authentication (MFA) to protect against account takeovers.
  • Regular Audits: Conduct thorough reviews of cloud account access and transactions to identify suspicious activities.
  • Employee Education: Train staff to recognize and report potential security threats within cloud environments.
The link has been copied!