HomeSecurity ArchitectureAWS and Azure Exploited for Worldwide Cybercrime Operations

AWS and Azure Exploited for Worldwide Cybercrime Operations

Published on

spot_img

Silent Push, a leading cybersecurity firm, has shed light on a new cybercriminal tactic known as “Infrastructure Laundering,” which is gaining prevalence in the world of cybercrime. According to research conducted by Silent Push’s Threat Analysis team, cybercriminals are utilizing mainstream cloud providers like Amazon Web Services (AWS) and Microsoft Azure to carry out their illicit activities.

This method allows threat actors to conceal their malicious activities by renting IP addresses from legitimate providers and associating them with their criminal websites. The FUNNULL content delivery network (CDN) has been found to extensively employ this tactic, indicating connections to money laundering, retail phishing schemes, and various online scams.

Infrastructure laundering involves blending criminal activities with legitimate web traffic, making it challenging for defenders to block access without impacting legitimate users. This stands in contrast to traditional “bulletproof hosting” services that operate in less stringent regulatory environments.

The operation of FUNNULL entails renting thousands of IP addresses from major cloud providers and continuously cycling through them to evade detection. Reports indicate that FUNNULL rented over 1,200 IPs from Amazon and nearly 200 from Microsoft, with most of them already taken down but new IPs constantly being acquired.

Silent Push has observed that FUNNULL likely utilizes stolen or fraudulent accounts to secure these IPs, a process that remains largely hidden from external observers. The network’s association with money laundering services, retail phishing, and “pig butchering” scams highlights the real-world impact of this cybercrime tactic.

A notable supply chain attack earlier this year involved FUNNULL compromising the popular JavaScript library polyfillio, affecting over 110,000 websites and showcasing the sophisticated methods employed by these criminal networks.

Further investigation uncovered a significant cluster of malicious infrastructure facilitating diverse cybercriminal activities, many of which are orchestrated by Chinese Triad groups. This aligns with the UNODC’s 2024 Report on Transnational Organized Crime, which emphasizes the convergence of cyber-enabled fraud, underground banking, and technological innovation in Southeast Asia.

Moreover, the FUNNULL network of scam/money laundering websites is hosted on a mix of Western IP addresses owned by US companies and Asian hosting providers. The network hosts over 200,000 unique hostnames, with approximately 95% generated through Domain Generation Algorithms (DGAs), as detailed in Silent Push’s blog post.

Researchers have also revealed that Bwin, an online gambling portal, is being exploited by FUNNULL, with numerous “Bwin-impersonated sites” discovered on Microsoft infrastructure. Although these sites have been confirmed as fake by Bwin’s parent company Entain, numerous other major online gambling brands’ trademarks are also being abused across tens of thousands of shell gambling websites.

The investigation into fraudulent IP rentals and the ease with which organizations like FUNNULL can repeatedly rent new IPs despite being associated with known malicious activity raises concerns. Researchers suggest that providers should track the specific CNAME chains used by FUNNULL and monitor newly rented IPs mapped to those CNAMEs to effectively combat this tactic.

In response to these findings, Amazon has released a public statement acknowledging the issue and confirming that they are suspending fraudulently acquired accounts. They have refuted any claims of enabling or profiting from such activities, emphasizing their commitment to investigating and stopping abuse in their services.

Source link

Latest articles

Ghidra 11.3 release includes new features, performance enhancements, and bug fixes

The NSA's Research Directorate recently announced the release of Ghidra 11.3, the latest version...

Google Mandiant identifies MSI flaw in Lakeside Software

A vulnerability in a Microsoft software installer developed by Lakeside Software has been discovered,...

Can Your Security Measures Backfire on You?

In the realm of cybersecurity, the age-old concept of breaching defenses to launch an...

Domain extension ‘.bank.in’ aims to prevent cybercrime – MSN

The Reserve Bank of India (RBI) has introduced a new initiative to combat digital...

More like this

Ghidra 11.3 release includes new features, performance enhancements, and bug fixes

The NSA's Research Directorate recently announced the release of Ghidra 11.3, the latest version...

Google Mandiant identifies MSI flaw in Lakeside Software

A vulnerability in a Microsoft software installer developed by Lakeside Software has been discovered,...

Can Your Security Measures Backfire on You?

In the realm of cybersecurity, the age-old concept of breaching defenses to launch an...