Cyber Security News

Hackers Exploit AWS & Microsoft Azure for Large-Scale Cyber Attacks

Silent Push, a cybersecurity research firm, has introduced the term “infrastructure laundering” to describe a sophisticated method used by cybercriminals to exploit legitimate cloud hosting services for illegal purposes.

This practice involves renting IP addresses from mainstream providers like Amazon Web Services (AWS) and Microsoft Azure, then mapping them to criminal websites through content delivery networks (CDNs) such as FUNNULL.

Despite efforts by these providers to block fraudulent accounts and IPs, the criminals’ rapid acquisition tactics continue to outpace enforcement.

FUNNULL, a CDN linked to transnational organized crime groups, has reportedly rented over 1,200 IPs from AWS and nearly 200 from Microsoft.

Microsoft AzureMicrosoft Azure
Map of FUNNULL CNAME Chains

While most of these have been taken down, new IPs are regularly acquired using stolen or fraudulent accounts.

Silent Push has identified FUNNULL’s infrastructure as hosting over 200,000 unique domains, primarily generated through Domain Generation Algorithms (DGAs), many of which are associated with phishing schemes, investment scams, and money laundering operations.

The Mechanics of Infrastructure Laundering

Unlike traditional “bulletproof hosting,” where servers resist takedown attempts by operating in jurisdictions with lax regulations, infrastructure laundering leverages legitimate cloud platforms to obscure illicit activities.

By embedding their operations within reputable hosting environments, threat actors gain a layer of legitimacy that complicates detection and mitigation.

This technique also ensures fast global access for their websites while making it challenging for defenders to block traffic without disrupting legitimate services hosted by the same providers.

Silent Push’s research highlights the use of CNAME mapping chains within FUNNULL’s CDN as a key tactic.

These chains link client domains to multiple IP addresses across different regions, creating a decentralized infrastructure that is difficult to track in real time.

FUNNULL CDN IP addresses by geographic location

The criminals’ ability to repeatedly acquire new IPs underscores gaps in the monitoring and enforcement mechanisms of cloud providers.

Implications for Cloud Security and Regulation

The findings raise critical questions about the role of cloud providers in combating cybercrime.

Silent Push questions why major providers have not yet implemented real-time detection systems capable of identifying and blocking such activities at scale.

The report also emphasizes the need for closer scrutiny of third-party intermediaries who facilitate these operations, as well as stronger international collaboration to address the convergence of cybercrime and traditional organized crime.

Amazon responded to the report by denying any complicity and emphasizing its efforts to suspend fraudulent accounts linked to FUNNULL.

The company stated that it incurs damages from such activities and is committed to improving its detection capabilities.

However, Silent Push argues that more proactive measures are needed to prevent criminal networks from exploiting mainstream hosting services.

Are you from SOC/DFIR Teams? – Analyse Malware Files & Links with ANY.RUN Sandox -> Start Now for Free.

Aman Mishra

Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Recent Posts

Critical AWS Amplify Studio Flaw Allowed Attackers to Execute Arbitrary Code

Amazon Web Services (AWS) has addressed a critical security flaw (CVE-2025-4318) in its AWS Amplify Studio platform,…

20 minutes ago

Severe Kibana Flaw Allowed Attackers to Run Arbitrary Code

A newly disclosed security vulnerability in Elastic’s Kibana platform has put thousands of businesses at…

2 hours ago

IT Worker from Computacenter Let Girlfriend Into Deutsche Bank’s Restricted Areas

A former information technology manager has filed a whistleblower lawsuit alleging a major security breach…

2 hours ago

NSO Group Ordered to Pay $168 Million to WhatsApp in US Spyware Verdict

A federal jury in California has ordered Israeli spyware maker NSO Group to pay approximately…

3 hours ago

BFDOOR Malware Targets Organizations to Establish Long-Term Persistence

The BPFDoor malware has emerged as a significant threat targeting domestic and international organizations, particularly…

17 hours ago

Uncovering the Security Risks of Data Exposure in AI-Powered Tools like Snowflake’s CORTEX

As artificial intelligence continues to reshape the technological landscape, tools like Snowflake’s CORTEX Search Service…

17 hours ago