A recent investigation has uncovered how a Chinese content delivery network (CDN) named Funnull is exploiting major cloud providers through a deceptive practice dubbed "infrastructure laundering."
According to research by Silent Push, Funnull has been renting IP addresses from Amazon Web Services (AWS) and Microsoft Azure to host a network of scam websites. The company has acquired over 1,200 IPs from AWS and approximately 200 from Microsoft, continuously cycling through new addresses before malicious activity can be detected.
The scheme involves Funnull operating as a hosting company that maps rented IP addresses to criminal websites. These sites are linked to investment scams, fake trading applications, and shell gambling operations that misuse popular casino brand trademarks.
"By utilizing major providers, the bad actors make it tough for organizations to block IP ranges because those providers may also be hosting legitimate web services," said Erich Kron from cybersecurity firm KnowBe4.
The research revealed that Funnull CDN hosts more than 200,000 unique hostnames, with about 95% generated through domain generation algorithms. This activity follows previous suspicious behavior, including a 2023 incident where Funnull purchased a domain used by over 100,000 websites for JavaScript delivery, later exploited for various cyberattacks.
AWS has responded to the findings, stating they were "already aware of the activity" and had suspended all known associated accounts. However, AWS disputed the term "infrastructure laundering," arguing it incorrectly implies AWS helps legitimize the abusive activity.
Microsoft confirmed they are investigating the reported activities. Security experts recommend businesses review their cloud accounts, implement multi-factor authentication, and monitor for suspicious activities to avoid becoming victims of account takeovers that enable such schemes.
The ongoing challenge lies in the difficulty of blocking these activities without disrupting legitimate web traffic, as malicious operations are deliberately blended with normal online services.