In the evolving landscape of cyber threats, a new and concerning practice has emerged: Infrastructure Laundering. This term, introduced by cybersecurity firm Silent Push, describes a method where threat actors, masquerading as legitimate hosting companies, rent IP addresses from major cloud providers to conceal malicious activities. This tactic not only complicates detection efforts but also poses significant challenges to traditional security measures.

Understanding Infrastructure Laundering

Infrastructure Laundering involves cybercriminals leveraging the credibility of established cloud services to mask their illicit operations. By renting IP addresses from reputable providers such as Amazon Web Services (AWS) and Microsoft Azure, these actors integrate their malicious infrastructure within legitimate networks. This integration makes it difficult for defenders to distinguish between genuine and harmful traffic, as blocking IPs associated with well-known providers can inadvertently disrupt legitimate services.

The FUNNULL CDN Case

Silent Push’s research highlights the activities of the FUNNULL content delivery network (CDN) as a prominent example of Infrastructure Laundering. FUNNULL has reportedly rented over 1,200 IP addresses from AWS and nearly 200 from Microsoft Azure. While many of these IPs have been deactivated, FUNNULL continues to acquire new ones, often using fraudulent or stolen accounts. This persistent cycle enables them to maintain their operations despite takedown efforts.

The malicious activities facilitated by FUNNULL’s infrastructure are diverse and alarming:

• Money Laundering Services: Hosting platforms that assist in concealing the origins of illicit funds.
• Retail Phishing Schemes: Deceptive websites designed to steal personal and financial information from unsuspecting consumers.
• Pig-Butchering Scams: Sophisticated frauds where victims are enticed into long-term schemes, often involving fake investments, leading to substantial financial losses.

Challenges and Questions

The ongoing success of Infrastructure Laundering raises critical questions about the current capabilities of cloud service providers:

• Detection and Response: Why do cloud providers struggle to identify and halt the illicit rental of IP addresses in real-time?
• Post-Takedown Analysis: When a hosting account is terminated for fraudulent activities, are providers thoroughly investigating the associated content and monitoring for similar patterns within their networks?
• Continuous Acquisition: How can entities like FUNNULL repeatedly obtain new IP addresses from mainstream providers, even after previous accounts have been banned?

These concerns suggest potential gaps in the monitoring and enforcement mechanisms of cloud services, which threat actors are adeptly exploiting.

Mitigation Strategies

Addressing Infrastructure Laundering requires a collaborative and multi-faceted approach:

• Enhanced Monitoring: Cloud providers must implement robust systems to detect suspicious activities related to IP rentals and swiftly act upon them.
• Information Sharing: Establishing channels for real-time communication between cloud services and cybersecurity firms can aid in the rapid identification of emerging threats.
• Regulatory Oversight: Governments and regulatory bodies should consider frameworks that hold service providers accountable for the misuse of their platforms, ensuring they take proactive measures against such exploitation.

Conclusion

Infrastructure Laundering represents a significant evolution in cybercriminal tactics, effectively blending malicious activities within the fabric of legitimate cloud services. For professionals in the anti-fraud and cybersecurity sectors, understanding and combating this practice is imperative. By enhancing detection capabilities, fostering collaboration, and advocating for stringent oversight, the cybersecurity community can work towards dismantling these covert operations and safeguarding the integrity of our digital infrastructure.