Researchers from Silent Push have uncovered a disturbing trend in cybercrime involving the China-based Funnull content delivery network (CDN), which has been engaging in a practice known as “infrastructure laundering.” This deceptive tactic involves threat actors exploiting major hosting providers such as Amazon Web Services (AWS) and Microsoft Azure to carry out their malicious activities.
The investigators at Silent Push first became aware of this nefarious practice when they observed a high volume of threat actors using AWS and Microsoft Azure cloud hosting services in their operations. It was through their diligent research that they identified Funnull CDN, a Chinese company with a history of suspicious behavior, as the perpetrator behind this scheme. Funnull CDN was found to be renting over 1,200 IPs from AWS and nearly 200 IPs from Microsoft to host a network of scam websites.
Despite efforts to take down these malicious IPs, Funnull CDN continues to acquire new ones regularly, making it challenging for defenders to keep pace with their activities. As stated in the report, “While providers are consistently banning specific IP addresses used by the Funnull CDN, the pace is unfortunately not fast enough to keep up with processes being used to acquire the IPs.”
One security expert, Erich Kron from cybersecurity company KnowBe4, highlighted the complexity of defending against such tactics. By utilizing reputable hosting providers like AWS and Microsoft Azure, threat actors make it difficult for organizations to block IP ranges without inadvertently affecting legitimate users. This blending of malicious activities with legitimate web traffic poses a significant challenge for hosting providers in identifying and preventing illicit behavior.
Funnull CDN has been found to host over 200,000 unique hostnames, the majority of which are generated through domain generation algorithms (DGAs) and linked to various illicit activities, including investment scams and fake trading applications. The report also revealed connections to money laundering through shell gambling websites that exploit the trademarks of popular casino brands.
This isn’t the first time Funnull CDN has been associated with suspicious behavior. In a previous incident, the company acquired a domain named polyfill[.]io, which was subsequently used in a supply chain attack affecting thousands of websites. The peak of Funnull CDN’s investment scam infrastructure in 2022 saw thousands of active domains, and although the portfolio has diminished since then, some active sites continue to engage in fraudulent activities.
In response to the findings, AWS acknowledged the suspicious activity and confirmed that all known accounts linked to Funnull CDN’s malicious behavior have been suspended to mitigate any further risk. However, AWS disagreed with the term “infrastructure laundering,” claiming it falsely implies that they are complicit in legitimizing abusive activities.
Microsoft has also initiated an investigation into the reported activities, emphasizing the importance of vigilance in monitoring cloud accounts to prevent unauthorized access. Security expert Erich Kron advises businesses to implement multifactor authentication (MFA) and regularly review account access to thwart malicious actors using stolen or cracked credentials to exploit cloud resources.
As the investigation into Funnull CDN’s activities continues, organizations are urged to stay informed and proactive in safeguarding their cloud assets against potential threats. By staying vigilant and educating users on identifying malicious activity within their cloud accounts, businesses can enhance their cybersecurity posture and defend against emerging threats in the digital landscape.