
Source: Silent Push
A new report from Silent Push reveals how a China-linked CDN called FUNNULL is exploiting major cloud providers like Amazon Web Services (AWS) and Microsoft Azure to host a vast network of malicious websites.
The report details how FUNNULL is using a technique called “infrastructure laundering” to obfuscate its operations and evade detection. This technique involves renting IP addresses from legitimate cloud providers and mapping them to malicious websites through CNAME records.
“As opposed to when criminals are restricted to using bulletproof hosting services, their infrastructure can then be easily blocked without the risk of causing accidental service disruption to the defending companies’ business operations,” the report states.
FUNNULL’s network hosts a variety of malicious websites, including investment scams, fake retail sites that impersonate popular casino brands. These websites are designed to steal sensitive information from unsuspecting users, such as login credentials, credit card details, and personal information.
One notable example is the impersonation of Bwin. Silent Push discovered dozens of fake Bwin websites hosted on Microsoft’s infrastructure through FUNNULL CDN. These websites were used to phish for user credentials and likely facilitate money laundering activities.
The report highlights the challenges that cloud providers face in detecting and mitigating infrastructure laundering. FUNNULL is actively acquiring new IPs, even as existing ones are being banned. This suggests that the CDN is using fraudulent or stolen accounts to obtain these IPs, exploiting potential vulnerabilities in the account verification processes of cloud providers.
Silent Push’s analysis also revealed that FUNNULL has been renting Microsoft IP space since at least 2021, indicating the long-standing nature of this issue. The report raises concerns about the effectiveness of current security measures in preventing infrastructure laundering and calls for greater collaboration between cloud providers and security researchers to address this growing threat.
In response to the report, Amazon issued a statement acknowledging the issue and outlining its efforts to suspend fraudulently acquired accounts linked to FUNNULL’s activity. However, Silent Push emphasizes the need for more proactive measures to prevent infrastructure laundering and protect users from falling victim to malicious websites hosted on legitimate cloud infrastructure.