Hackers Exploit AWS & Microsoft Azure for Large-Scale Cyber Attacks

Silent Push, a cybersecurity research firm, has introduced the term “infrastructure laundering” to describe a sophisticated method used by cybercriminals to exploit legitimate cloud hosting services for illegal purposes.

This practice involves renting IP addresses from mainstream providers like Amazon Web Services (AWS) and Microsoft Azure, then mapping them to criminal websites through content delivery networks (CDNs) such as FUNNULL.

Despite efforts by these providers to block fraudulent accounts and IPs, the criminals’ rapid acquisition tactics continue to outpace enforcement.

FUNNULL, a CDN linked to transnational organized crime groups, has reportedly rented over 1,200 IPs from AWS and nearly 200 from Microsoft.

While most of these have been taken down, new IPs are regularly acquired using stolen or fraudulent accounts.

Silent Push has identified FUNNULL’s infrastructure as hosting over 200,000 unique domains, primarily generated through Domain Generation Algorithms (DGAs), many of which are associated with phishing schemes, investment scams, and money laundering operations.

The Mechanics of Infrastructure Laundering

Unlike traditional “bulletproof hosting,” where servers resist takedown attempts by operating in jurisdictions with lax regulations, infrastructure laundering leverages legitimate cloud platforms to obscure illicit activities.

By embedding their operations within reputable hosting environments, threat actors gain a layer of legitimacy that complicates detection and mitigation.

This technique also ensures fast global access for their websites while making it challenging for defenders to block traffic without disrupting legitimate services hosted by the same providers.

Silent Push’s research highlights the use of CNAME mapping chains within FUNNULL’s CDN as a key tactic.

These chains link client domains to multiple IP addresses across different regions, creating a decentralized infrastructure that is difficult to track in real time.

The criminals’ ability to repeatedly acquire new IPs underscores gaps in the monitoring and enforcement mechanisms of cloud providers.

Implications for Cloud Security and Regulation

The findings raise critical questions about the role of cloud providers in combating cybercrime.

Silent Push questions why major providers have not yet implemented real-time detection systems capable of identifying and blocking such activities at scale.

The report also emphasizes the need for closer scrutiny of third-party intermediaries who facilitate these operations, as well as stronger international collaboration to address the convergence of cybercrime and traditional organized crime.

Amazon responded to the report by denying any complicity and emphasizing its efforts to suspend fraudulent accounts linked to FUNNULL.

The company stated that it incurs damages from such activities and is committed to improving its detection capabilities.

However, Silent Push argues that more proactive measures are needed to prevent criminal networks from exploiting mainstream hosting services.

Are you from SOC/DFIR Teams? – Analyse Malware Files & Links with ANY.RUN Sandox -> Start Now for Free.