Chinese CDN Exploiting AWS & Microsoft Cloud to Host Malicious Websites

A recent investigation by cybersecurity firm Silent Push has revealed how a China-linked Content Delivery Network (CDN), known as FUNNULL, is exploiting major cloud providers like Amazon Web Services (AWS) and Microsoft Azure to host malicious websites.

The technique, termed “infrastructure laundering,” allows cybercriminals to mask their activities by renting IP addresses from legitimate cloud services and mapping them to fraudulent domains.

This method enables phishing campaigns, investment scams, and money laundering operations, posing significant challenges for cloud providers and cybersecurity efforts.

Exploitation of Cloud Platforms

FUNNULL has reportedly rented over 1,200 IP addresses from AWS and nearly 200 from Azure, using stolen or fraudulent accounts to bypass detection.

Once acquired, these IPs are linked to malicious domains via DNS CNAME records, allowing the network to host over 200,000 unique hostnames, 95% of which are generated through Domain Generation Algorithms (DGAs).

These domains support scams targeting major brands like Bwin, Chanel, and eBay, as well as fake trading platforms and gambling websites.

The infrastructure laundering process relies on intermediaries that obscure the origins of criminal activities.

Unlike traditional “bulletproof hosting,” which resists takedown efforts entirely, infrastructure laundering leverages the credibility of mainstream cloud providers.

This makes it difficult for defenders to block malicious traffic without disrupting legitimate services hosted on the same platforms.

Challenges for Cloud Providers

Despite efforts by AWS and Azure to suspend fraudulent accounts linked to FUNNULL’s activities, the CDN continues to acquire new IPs at a rapid pace.

Silent Push’s research indicates that FUNNULL has been renting Microsoft IP space since at least 2021.

The persistent cycling of IP addresses highlights vulnerabilities in account verification processes and DNS monitoring systems used by cloud providers.

AWS has acknowledged the issue and emphasized its ongoing efforts to detect and suspend fraudulently acquired accounts.

However, Silent Push has raised concerns about the effectiveness of current measures, questioning why cloud providers are unable to identify such schemes in real time.

The firm suggests that better tracking of CNAME chains could help prevent illicit IP rentals more effectively.

FUNNULL’s operations have facilitated extensive cybercriminal activities linked to transnational organized crime groups such as Chinese Triads.

For example, dozens of fake Bwin gambling websites were discovered hosted on Microsoft infrastructure.

Additionally, FUNNULL was involved in a supply chain attack in 2024 that compromised the popular JavaScript library polyfill.io, impacting over 110,000 websites globally.

The network’s ability to blend malicious activities with legitimate web traffic complicates mitigation efforts.

Silent Push’s findings underscore the need for coordinated action among cloud providers, cybersecurity firms, and law enforcement agencies to address this growing threat.

As cybercriminals continue exploiting gaps in cloud infrastructure management, organizations must adopt robust security measures such as real-time monitoring tools, stricter account verification processes, and enhanced DNS tracking systems.

Collaborative efforts between stakeholders will be critical in combating this sophisticated form of cybercrime.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free