Silent Push has identified a growing criminal practice known as “Infrastructure Laundering,” where threat actors rent IP addresses from mainstream cloud providers like AWS and Microsoft Azure to host illicit content. Despite efforts to ban these IPs, new ones are continually acquired, raising concerns about the effectiveness of cloud providers in detecting and preventing such abuses. Affected: Amazon Web Services, Microsoft Azure
Keypoints :
- Infrastructure Laundering is a term coined by Silent Push to describe the rental of IP addresses by criminals from legitimate hosting providers.
- FUNNULL has rented over 1,200 IPs from AWS and nearly 200 from Microsoft, with ongoing acquisition of new IPs.
- Cloud providers struggle to keep up with the rapid acquisition of IPs used for criminal activities.
- FUNNULL’s activities are linked to money laundering, phishing schemes, and other cybercrimes.
- There are significant visibility gaps in cloud providers’ monitoring systems, allowing criminals to exploit their services.
MITRE Techniques :
- TA0040: Impact – FUNNULL’s activities directly affect the integrity of legitimate businesses through scams and phishing.
- TA0001: Initial Access – FUNNULL likely uses stolen or fraudulent accounts to acquire IP addresses.
- TA0007: Discovery – The use of CNAME mapping allows FUNNULL to obscure the origins of their infrastructure.
- TA0009: Collection – FUNNULL collects sensitive information through phishing schemes targeting major brands.
- TA0011: Command and Control – FUNNULL utilizes a network of rented IPs to maintain control over their criminal operations.
Indicator of Compromise :
- [domain] funnull[.]vip
- [domain] funnull01[.]vip
- [domain] fn03[.]vip
- [url] cmegrouphkpd[.]info
- [url] coroexchange[.]com
- Check the article for all found IoCs.
close with
Full Research: https://www.silentpush.com/blog/infrastructure-laundering/