Saturday, February 15, 2025
HomeAmazon AWSHackers Exploit AWS & Microsoft Azure for Large-Scale Cyber Attacks

Hackers Exploit AWS & Microsoft Azure for Large-Scale Cyber Attacks

Published on

SIEM as a Service

Follow Us on Google News

Silent Push, a cybersecurity research firm, has introduced the term “infrastructure laundering” to describe a sophisticated method used by cybercriminals to exploit legitimate cloud hosting services for illegal purposes.

This practice involves renting IP addresses from mainstream providers like Amazon Web Services (AWS) and Microsoft Azure, then mapping them to criminal websites through content delivery networks (CDNs) such as FUNNULL.

Despite efforts by these providers to block fraudulent accounts and IPs, the criminals’ rapid acquisition tactics continue to outpace enforcement.

FUNNULL, a CDN linked to transnational organized crime groups, has reportedly rented over 1,200 IPs from AWS and nearly 200 from Microsoft.

Microsoft Azure
Map of FUNNULL CNAME Chains

While most of these have been taken down, new IPs are regularly acquired using stolen or fraudulent accounts.

Silent Push has identified FUNNULL’s infrastructure as hosting over 200,000 unique domains, primarily generated through Domain Generation Algorithms (DGAs), many of which are associated with phishing schemes, investment scams, and money laundering operations.

The Mechanics of Infrastructure Laundering

Unlike traditional “bulletproof hosting,” where servers resist takedown attempts by operating in jurisdictions with lax regulations, infrastructure laundering leverages legitimate cloud platforms to obscure illicit activities.

By embedding their operations within reputable hosting environments, threat actors gain a layer of legitimacy that complicates detection and mitigation.

This technique also ensures fast global access for their websites while making it challenging for defenders to block traffic without disrupting legitimate services hosted by the same providers.

Silent Push’s research highlights the use of CNAME mapping chains within FUNNULL’s CDN as a key tactic.

These chains link client domains to multiple IP addresses across different regions, creating a decentralized infrastructure that is difficult to track in real time.

Microsoft Azure
FUNNULL CDN IP addresses by geographic location

The criminals’ ability to repeatedly acquire new IPs underscores gaps in the monitoring and enforcement mechanisms of cloud providers.

Implications for Cloud Security and Regulation

The findings raise critical questions about the role of cloud providers in combating cybercrime.

Silent Push questions why major providers have not yet implemented real-time detection systems capable of identifying and blocking such activities at scale.

The report also emphasizes the need for closer scrutiny of third-party intermediaries who facilitate these operations, as well as stronger international collaboration to address the convergence of cybercrime and traditional organized crime.

Amazon responded to the report by denying any complicity and emphasizing its efforts to suspend fraudulent accounts linked to FUNNULL.

The company stated that it incurs damages from such activities and is committed to improving its detection capabilities.

However, Silent Push argues that more proactive measures are needed to prevent criminal networks from exploiting mainstream hosting services.

Are you from SOC/DFIR Teams? – Analyse Malware Files & Links with ANY.RUN Sandox -> Start Now for Free.

Aman Mishra
Aman Mishra
Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Latest articles

Fake BSOD Attack Launched via Malicious Python Script

A peculiar malicious Python script has surfaced, employing an unusual and amusing anti-analysis trick...

SocGholish Malware Dropped from Hacked Web Pages using Weaponized ZIP Files

A recent wave of cyberattacks leveraging the SocGholish malware framework has been observed using...

Lazarus Group Targets Developers Worldwide with New Malware Tactic

North Korea's Lazarus Group, a state-sponsored cybercriminal organization, has launched a sophisticated global campaign...

North Korean IT Workers Penetrate Global Firms to Install System Backdoors

In a concerning escalation of cyber threats, North Korean IT operatives have infiltrated global...

Supply Chain Attack Prevention

Free Webinar - Supply Chain Attack Prevention

Recent attacks like Polyfill[.]io show how compromised third-party components become backdoors for hackers. PCI DSS 4.0’s Requirement 6.4.3 mandates stricter browser script controls, while Requirement 12.8 focuses on securing third-party providers.

Join Vivekanand Gopalan (VP of Products – Indusface) and Phani Deepak Akella (VP of Marketing – Indusface) as they break down these compliance requirements and share strategies to protect your applications from supply chain attacks.

Discussion points

Meeting PCI DSS 4.0 mandates.
Blocking malicious components and unauthorized JavaScript execution.
PIdentifying attack surfaces from third-party dependencies.
Preventing man-in-the-browser attacks with proactive monitoring.

More like this

Fake BSOD Attack Launched via Malicious Python Script

A peculiar malicious Python script has surfaced, employing an unusual and amusing anti-analysis trick...

SocGholish Malware Dropped from Hacked Web Pages using Weaponized ZIP Files

A recent wave of cyberattacks leveraging the SocGholish malware framework has been observed using...

Lazarus Group Targets Developers Worldwide with New Malware Tactic

North Korea's Lazarus Group, a state-sponsored cybercriminal organization, has launched a sophisticated global campaign...