New research highlights how bad actors could abuse deleted AWS S3 buckets to create all sorts of mayhem, including a SolarWinds-style supply chain attack.

Source: kovop via Shutterstock

Abandoned cloud storage buckets present a major, but largely overlooked, threat to Internet security, new research has shown.

The risks arise when bad actors discover and re-register these neglected digital repositories under their original name, and then use them to deliver malware or carry out other malicious actions against anyone still requesting files from them.

**A Far From Theoretical Threat**

The threat is far from theoretical, and the weakness is, in fact, incredibly easy to exploit, researchers from watchTowr discovered recently. The findings came as a follow-up to previous research they conducted last year on risks tied to expired and abandoned Internet domain names.

For the latest study, the researchers first searched the Internet for Amazon AWS S3 buckets referenced in deployment code or a software update mechanism. They then checked to see if those mechanisms were pulling down unsigned or unverified executables or code from the S3 buckets. The researchers discovered some 150 S3 buckets that at some time a government organization, Fortune 500 company, technology company, cybersecurity vendor or major open source project had used for software deployment, updates, configurations and similar purposes, and then abandoned.

To check what would happen, watchTowr registered the unused buckets using their original names for a total of around $400, and enabled logging on them to see who might request files from each S3 bucket. The company also wanted to find out what these users would request from the storage resources. To their surprise, in a two-month period, the S3 buckets received a staggering 8 million file requests, many of which the researchers could have very easily responded to with malware or some other malicious action.

Related:Name That Toon: Incentives

Among those requesting files from the abandoned S3 buckets were government agencies in the US, the UK, Australia, and other countries, Fortune 100 companies, a major payment card network, an industrial product company, global and regional banks, and cybersecurity companies.  

"We were not 'sniping' S3 buckets as they were deleted, nor employing any 'advanced' technique to register these S3 buckets," watchTowr researchers said in their report. "We just ... typed the name into the input box, and used the power of one finger to click register."

WatchTowr's analysis showed the S3 buckets receiving requests for a wide range of files, including software updates; unsigned Windows, Linux ad macOS binaries; virtual machine images; JavaScript files; SSL VPN configurations; and CloudFormation templates for defining and provisioning AWS cloud infrastructure services as code.

Related:Name That Toon: Meeting of Minds

Had the researchers wanted to, they could have trivially responded to any of these requests with things like a malicious software update, or a template that would have allowed them access to the requesting organization's AWS environment, or a backdoored virtual machine.

**A 'Terrifyingly Simple' Cloud Cyberattack Vector?**

"The main takeaway," says Benjamin Harris, CEO of watchTowr, "is the terrifyingly simple way by which hackers can create a major, SolarWinds-scale supply chain attack by abusing the relatively unknown vulnerability class of abandoned infrastructure."

While the study focused on AWS buckets, the same risks exist with any abandoned cloud storage resource that someone is able to find and re-register using the original name, according to watchTowr.   

"This is certainly not an AWS issue," Harris tells Dark Reading. "However, what is vital is that AWS customers understand that once a cloud resource is created, leveraged, and referenced in code — for example, in a software update process, or in a deployment manual or otherwise — that reference will exist forever," he says. The implications of that reference will survive in perpetuity as the watchTowr study showed, he cautions.

Related:New Essay Competition Explores AI's Role in Cybersecurity

According to Harris, watchTowr has tried to get AWS to stop allowing registration of S3 buckets under previously used names.

"We have repeatedly, like a broken record, shared our belief with the AWS teams that engaged with us that the most logical solution to the challenge here is to prevent the registration of S3 buckets using names that had been used previously," he says. This approach would entirely kill this vulnerability class — abandoned infrastructure — in the context of AWS S3 buckets.

"As always, there is likely an argument about the usability tradeoff, the ability to transfer S3 buckets between accounts, etc.," he adds. "But we do wonder if these requirements outweigh the impact we have demonstrated through our research."

**AWS Responds to Abandoned S3 Bucket Threat**

AWS itself quickly sinkholed the S3 buckets that watchTowr identified, so the attack scenarios the security vendor highlighted in its report won't work against the same resources, though the broader issue remains.

"The issues described in this blog occurred when customers deleted S3 buckets that were still being referenced by third-party applications," an AWS spokesperson tells Dark Reading. "After conducting their research without notifying AWS, watchTowr provided the bucket names to AWS, and to protect our customers, we blocked these specific buckets from being re-created."

A statement the person provided mentioned guidance that AWS has provided customers on best cloud bucket practices, and on using unique identifiers when creating bucket names to prevent unintended reuse. The company has also provided guidance on ensuring applications are properly configured to reference only customer-owned buckets, the statement said: "In 2020 we launched the bucket ownership condition feature and encouraged customers to use this mechanism, specifically designed to prevent unintended reuse of bucket names."

The statement went on to request that researchers engage with the company's security team before conducting research involving the company's services.

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Abandoned AWS Cloud Storage: A Major Cyberattack Vector

A sophisticated cyberattack campaign is targeting organizations that still rely on Active Directory Federation Services (ADFS) for authentication across applications and services.

Source: Ronstik via Alamy Stock Photo

A phishing campaign is exploiting Microsoft Active Directory Federation Services (ADFS) to bypass multifactor authentication (MFA) and take over user accounts, allowing threat actors to commit further malicious activities across networks that depend on the service for single sign-on (SSO) authentication.

Researchers from Abnormal Security discovered the campaign, which is targeting about 150 organizations — primarily in the education sector — that rely on ADFS to authenticate across multiple on-premises and cloud-based systems.

The campaign uses spoofed emails that direct people to fake Microsoft ADFS log-in pages, which are personalized for the particular MFA setup used by the target. Once a victim enters credentials and an MFA code, attackers take over the accounts and are able to pivot to other services through the SSO function. They appear to be carrying out a range of post-compromise activities, including reconnaissance, the creation of mail filter rules to intercept communications, and lateral phishing that targets other users in the organization.

Targeting the legacy SSO capability in ADFS, a function that's "convenient for enterprise users," can reap big dividends, observes Jim Routh, chief trust officer at security firm Saviynt. The feature was originally designed for use behind a firewall but is now more exposed because it's increasingly been applied across cloud-based services, even though it was never designed for that, he notes.

Related:Why Cybersecurity Needs Probability — Not Predictions

Attackers in the campaign are spoofing Microsoft ADFS login pages to harvest user credentials and bypass MFA in a way that one longtime security professional says he hasn't seen before.

"This is the first time I've read about fake ADFS login pages," observes Roger Grimes, data-driven defense evangelist at security firm KnowBe4.

**Help Desk Lures for Credential Theft**

Targets of the campaign receive emails designed to appear as notifications from the organization's IT help desk — a widely used phishing ruse — with a message informing the recipient of an urgent or important update that requires their immediate attention. The message asks them to use the provided link to initiate the requested action, such as accepting a revised policy or completing a system upgrade.

Still, the emails include various features that make them appear convincing, including spoofed sender addresses that appear as if they originate from trusted entities, fraudulent login pages that mimic legitimate branding, and malicious links that mimic the structure of legitimate ADFS links, the researchers noted.

Related:DNSFilter's Annual Security Report Reveals Worrisome Spike in Malicious DNS Requests

"In this campaign, attackers exploit the trusted environment and familiar design of ADFS sign-in pages to trick users into submitting their credentials and second-factor authentication details," according to the report.

**Targeting Legacy Users**

While the campaign targets various industries, organizations bearing the brunt of attacks — more than 50% — are schools, universities, and other educational institutions, the researchers said. "This highlights the attackers' preference for environments with high user volumes, legacy systems, fewer security personnel, and often less mature cybersecurity defenses," according to the report.

Other sectors targeted in the campaign that also reflect this preference include, in order of attack frequency: healthcare, government, technology, transportation, automotive, and manufacturing.

Indeed, while Microsoft and Abnormal Security both recommend that organizations transition to its modern identity platform, Entra, for authentication, many organizations with less sophisticated IT departments still depend on ADFS, and thus remain vulnerable, the researchers noted.

"This reliance is particularly prevalent in sectors with slower technology adoption cycles or legacy infrastructure dependencies — making them prime targets for credential harvesting and account takeovers," according to the report.

Related:Black Hat USA 2024 Highlights

However, even if an organization is still using ADFS, it still can take steps to protect themselves, Grimes says. He recommends that all users use "phishing-resistant MFA" whenever they can, for example.

Other mitigations recommended by the researchers include user education about modern attacker phishing techniques and psychological tactics, and the use of advanced email filtering, anomaly detection, and behavior monitoring technologies to identify and mitigate phishing attacks and detect compromised accounts early.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Attackers Target Education Sector, Hijack Microsoft Accounts

Organizations continue to be at high risk from cybercrime in Africa, despite law enforcement takedowns of cybercriminal syndicates in Nigeria and other African nations.

Threat Index global mapSource: Check Point Software Technologies

Nigeria's government has taken a tougher stance against financial fraud and cybercrime, arresting more than 1,000 people in the past year and successfully prosecuting 152 cases related to cyber-related fraud and scams.

On Feb. 3, Nigeria's Economic and Financial Crimes Commission (EFCC) arraigned 42 foreign nationals — mainly Chinese and Filipino — on charges related to alleged cryptocurrency investment and romance fraud, part of a massive raid conducted in December 2024 against a purported cybercriminal syndicate of nearly 800 people.

The defendants willfully "caused to be accessed, a computer system which was organized to seriously destabilize the economic and social structure of the Federal Republic of Nigeria, by procuring and employing several Nigerian youths for identity theft and other computer related fraud," according to an EFCC statement.

Cybercrime and cyberattacks continue to be a major problem for Nigeria, and Africa as a whole. The average African organization sees nearly 3,200 attacks per week, 73% more than the global average, according to data provided by cybersecurity firm Check Point Software Technologies. Africa has increasingly become a hub for cybercrime, charting eight countries in Check Point's top 20 areas at high risk of cybercrime. Ethiopia claimed the top spot as the riskiest nation for cybercrime, while Nigeria ranked number 19.

The continent is rapidly adopting technology, not always with the right security, leading to vulnerable systems, says Lionel Dartnall, acting country manager for South Africa at Check Point.

"We are seeing that Africa is particularly susceptible compared to other regions, and many attackers often test new methods here before deploying them in other parts of the world," he says, listing the rapidly expanding digital footprint and widespread adoption of cloud computing as factor\[s\] that are opening up the region to more attacks."

**Africa: Rapidly Securing Its Ecosystem**

Overall, the Global South — including nations in the African, Latin American, and South Asian regions — have the lowest number of organizations reporting themselves to be cyber-resilient, according to the World Economic Forum's "Global Cybersecurity Outlook 2025." In Europe and North America, about 15% of organizations lack confidence in their nation's ability to respond to significant cyber incidents. In Africa and Latin America, 36% and 42% lack confidence, respectively.

While African nations are disproportionately represented in the top-20 cyber-riskiest nations and in lacking confidence in their cyber resilience, their economies are also topping the list in terms of growth, with 11 of the 20 fastest-growing economies in Africa. Overall, Africa's younger population and the increased digitization brings more risk, but also more opportunities, Check Point's Dartnall says.

"\[T\]he continent has only 20,000 qualified cybersecurity engineers, indicating a critical need for more experts to join the field," he says. "However, there is a focus by both private and public sector institutions to stimulate cyber security training especially among young people, both to plug the acute skills gap and also provide critically needed employment."

Organizations in Nigeria — and Africa as a whole — have suffered a much higher pace of attacks, compared with global groups. Source: Check Point Software's "2024 African Perspectives on Cyber Security"

Nigeria, however, continues to face economic problems that impact its ability to create a trusted online ecosystem. Nigeria had significant economic challenges over the past three years, including annual inflation of more than 30%, higher unemployment, and growing debt, according to PricewaterhouseCoopers' 2025 Nigeria Budget and Economic Outlook. In 2024, the Nigerian government had to pause the implementation of a cybersecurity tax after public dissent. At the same time, Nigeria saw far more attacks per organizations than the global average.

**Importing Cybercrime**

The trick for countries like Nigeria is to make cybersecurity jobs available and more appealing than cybercrime. The government has already reached out to organizations, such as the Student Union Executives and the Nigeria Internet Registration Association (NIRA), to bolster cybersecurity training and fraud awareness.

In addition, law enforcement authorities have ramped up investigations and enforcement operations in the last year. In July 2024, Interpol worked with authorities in 21 countries to arrest the West African cybercriminals involved in financial fraud in an effort dubbed Operation Jackal III. In December 2024, similar cooperation led to the arrest of more than 1,000 suspects linked to more than $192 million in financial losses across Africa.

The Nigerian government has stressed that many of the cybercriminal schemes that operate in the country are not run by Nigerians. During the massive raid leading to the arrest of 792 suspects allegedly involved in a romance and cryptocurrency-investment fraud ring, nearly a quarter of those detained were not Nigerian citizens and included 148 Chinese, 40 Filipinos, two Kharzartans, one Pakistani, and one Indonesian, according to a December 2024 statement.

"Foreigners are taking advantage of our nation's unfortunate reputation as a haven of frauds to establish a foothold here to disguise their atrocious criminal enterprises," Ola Olukoyede, the EFCC chairman, said at a press conference. "But, as this operation has shown, there will be no hiding places for criminals in Nigeria."

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Nigeria Touts Cyber Success, Even as Cybercrime Rises in Africa

Fraud groups are using cutting-edge technology to scale their operations to create fake identities and execute fraud campaigns.

Source: Mike via Adobe Stock Photo

Question: How are modern fraud groups using generative artificial intelligence (GenAI) and deepfakes to steal millions of dollars?

Answer: If you imagine a fake identity document, what springs to mind? Is it a faded World War II-era identity card with a false name written in neat script next to a black and white photo? Is it a driver's license from a state you had never actually been to with your photo and a fake name, address, and birthday that you showed to the bars in your college town so you could drink when you were underage? Sometimes those documents worked. Sometimes they didn't.

The forgeries created by modern fraud groups use cutting-edge AI-driven deepfake technology to create fake identities, avatars, and documents that even a trained eye would have trouble spotting, says Ofer Freidman, chief business development officer of identity verification and ID management automation company AU10TIX. These groups are using GenAI to steal personal data, craft convincing fake identities, and execute fraud schemes.

Fraudsters acquire personal data from individuals through a combination of methods, including phishing, social engineering, and hacking corporate databases. They can also buy the information from cybercrime marketplaces. They can then use an AI system to randomize the information, such as names, addresses, and document numbers, to generate new fake identities. AI is better at avoiding repetitive patterns than humans, making it more likely that these fake identities will evade detection systems and monitors, Friedman says. 

Traditional forgeries could be identified by spotting inconsistencies, such as mismatched shadows or areas that were low resolution compared to the rest. While there are ways to identify deepfakes (such as counting the fingers on the person's hands), each model is getting better at producing uniform, high-quality content. 

For fraudsters, every payday doesn't need to be huge because they are operating in an "industrialized, systematic way," Friedman says. "You can go for $1 million or you can go 100 times for $10,000. It's the same effort because it's a machine doing it for you, unlike the good old days when you actually had to do it one by one."

**About the Author**

Contributing Writer

Jennifer Lawinski is a writer and editor with more than 20 years experience in media, covering a wide range of topics including business, news, culture, science, technology and cybersecurity. After earning a Master's degree in Journalism from Boston University, she started her career as a beat reporter for The Daily News of Newburyport. She has since written for a variety of publications including CNN, Fox News, Tech Target, CRN, CIO Insight, MSN News and Live Science. She lives in Brooklyn with her partner and two cats.

How Are Modern Fraud Groups Using GenAI and Deepfakes?

The security startup's autonomous security remediation platform uses off-the-shelf large language models (LLMs) to analyze security alerts and apply the fixes.

Source: Ronstik via Alamy Stock Photo

NEWS BRIEF

Developers and security teams are bombarded with too many security alerts. Security tools are finding issues, but organizations lack the staff and time to address the most severe security findings. That is why there has been a lot of discussion on how artificial intelligence (AI) can help prioritize and triage the volume of security alerts to a more manageable amount.

Backline, which came out of stealth on Jan. 30, goes a step further, using AI agents to remediate security vulnerabilities and misconfigurations automatically. The autonomous security remediation platform integrates seamlessly with the organization's existing security tools and consolidates the information into a centralized security findings lake, the company said. The AI-native remediation playbooks the platform uses have been enriched with customer-specific context, Backline said.

Backline's autonomous security remediation platform can safely implement verified code and configuration changes. Backline's agents analyze security findings, gather necessary context, determine the optimal fix for the organization's environment, implement the necessary changes, and then test the fixes. Teams can choose their preferred level of oversight and automation.

When the AI agent needs human analysts to intervene or provide more context, it contacts the relevant engineers using tools such as Jira, Slack, and GitHub.

As part of the launch, Backline also raised $9 million in seed funding from StageOne Ventures, Evolution Equity Partners, and Gradient. Backline's co-founder and CEO, Maor Goldberg, previously co-founded Whitebox Security, which he sold to SailPoint in 2015, and Apolicy, which was sold to Sysdig in 2021. Goldberg left Sysdig in 2024 to start Backline with Eran Leib, chief customer officer, and Aviad Chen, vice president of research and development.

Backline Tackles Enterprise Security Backlogs With AI

Researchers measured a threefold increase in credential stealing between 2023 and 2024, with more than 11.3 million such thefts last year.

Source: Artur Marciniec via Alamy Stock Photo

NEWS BRIEF

After analyzing more than a million pieces of malware collected in 2024, researchers have found that 25% of them target user credentials.

That's three times the number from 2023 and has bumped stealing credentials from password stores into the top 10 techniques listed in the MITRE ATT&CK framework, which accounted for 93% of all malicious cyber activity in 2024.

In "The Red Report 2025" conducted by Picus Security, researchers observed that the attackers are prioritizing "complex, prolonged, multi-stage attacks that require a new generation of malware to succeed." In what the researchers dubbed "SneakThief," threat actors are looking to revolutionize info-stealing malware, focusing on increased stealth, persistence, and automation.

The researchers add that threat actors likely have their sights set on these malware attributes in order to pull off "the perfect heist," adding that most malware samples now have the capability to do so with more than a dozen malicious actions installed to help bad actors evade defenses, exfiltrate data, and more.

The researchers also report they found no evidence that cybercriminals are using AI-driven malware, and that malware samples on average can complete 14 malicious actions. And of the millions of cybercrime acts seen in 2024, exfiltration and stealth tactics made up 11.3 million.

"Focusing on Top 10 MITRE ATT&CK techniques is the most viable way to stop the kill chain of sophisticated malware strains as early as possible," said Volkan Ertürk, CTO and co-founder of Picus. "SneakThief malware is not an exception; enterprise security teams can stop 90% of malware by focusing on just 10 of MITRE's entire library of techniques."

**About the Author**

Skilled writer and editor covering cybersecurity for Dark Reading.

Credential Theft Becomes Cybercriminals' Favorite Target

Targets are lured into a fake interview process that convinces them to download malware needed for a virtual interview.

Source: imageBROKER.com GmbH & Co. KG via Alamy Stock Photo

NEWS BRIEF

In a new patch for its on-device malware tool, Apple is pushing signature updates to XProtect in order to block variants of a malware belonging to what is known as the macOS Ferret family.

This malware has been identified as part of "Contagious Interview," a North Korean campaign involving threat actors luring in targets and convincing them to install malware onto their devices through a fake job interview process. The other variants in the campaign include: FROSTYFERRET\_UI, FRIENDLYFERRET\_SECD, and MULTI\_FROSTYFERRET\_CMDCODES.

The DPRK malware family was first detailed by researchers in December 2024 and again in January where, as part of the campaign, targets are asked to communicate with an "interviewee" through a link that requests to install a piece of software required for virtual meetings.

Once installed, it runs a malicious shell script and installs a persistence agent, as well as an executable impersonating a Google Chrome update. 

The Contagious Interview attack chains are designed to drop JavaScript-based malware "BeaverTail," which delivers a Python backdoor known as InvisibleFerret, and harvests sensitive data from Web browsers and crypto wallets.

And now researchers at SentinelOne are highlighting samples they're calling "FlexibleFerret" that went undetected by XProtect as of Feb. 3, suggesting that the threat actors are honing their tactics to evade detection. This component dates as far back as November 2023.

"In an example in late December, one 'commenter' left instructions leading to the download of Ferret family droppers," stated the SentinelOne researchers. "This suggests that the threat actors are happy to expand the vectors by which they deliver the malware beyond the specific targeting of job seekers to developers more generally."

**About the Author**

Skilled writer and editor covering cybersecurity for Dark Reading.

Ferret Malware Added to 'Contagious Interview' Campaign

Ransomware actors are offering individuals millions to turn on their employers and divulge private company information, in a brand-new cybercrime tactic.

Source: Mayam studio via Shutterstock

Ransomware actors are utilizing a previously unseen tactic in their ransomware notes: posting advertisements to solicit insider information.

Researchers at the GroupSense threat intelligence team shared their findings with Dark Reading, including screenshots of the strategies these gangs are using. Groups including Sarcoma and another syndicate believed to be impersonating LockBit ransomware, known as DoNex, have adopted the strategy, the firm noted.

Part of one ransomware note includes the usual details stating that the company is in critical condition, its backups destroyed, and databases exported. Farther down in the message, however, the group states: "If you help us find this company's dirty laundry you will be rewarded. You can tell your friends about us. If you or your friend hates his boss, write to us and we will make him cry and the real hero will get a reward from us."

In a different ransom note, the threat actors write: "Would you like to earn millions of dollars $$$ ?  Our company acquire access to networks of various companies, as well as insider information that can help you steal the most valuable data of any company.  You can provide us accounting data for the access to any company, for example, login and password to RDP, VP, corporate email, etc. "

Related:Credential Theft Becomes Cybercriminals' Favorite Target

A ransom note from a threat group impersonating LockBit. Source: GroupSense

The threat actors then go on to detail how those who are interested can open their letter and launch a virus on their work computer. The communication is done through Tox messenger so that the users privacy is "guaranteed."

Kurtis Minder, CEO and founder at GroupSense, notes that the company sees a variety of ransom notes in the course of incident response, however, it's only been this past week that its researchers have noticed the "pseudo advertisements" at the bottom of these notes.

"I've been asking my team and kind of speculating as to why this would be a good place to put an advertisement," says Minder. "I don't know the right answer, but obviously these notes do get passed around." He notes that these threat actors may maintain a "why not" attitude toward incorporating such ads into their ransom notes. And when one ransomware actor starts a new tactic, the rest are quick to follow.

But for any individuals interested in taking up such an offer from cybercriminals, it's better to be safe than sorry.

"These folks have no accountability, so there's no guarantee you would get paid anything," Minder adds. "You trying to capitalize on this is pretty risky from an outcome perspective."

GroupSense continues to look through past ransom notes to find any earlier indication of the trend, and Minder says he expects to find more ads in addition to those already discovered.

Related:Ferret Malware Added to 'Contagious Interview' Campaign

The news comes as ransomware activity continues to grow, with cyberattackers raking in hefty profits despite a rash of law enforcement actions over the course of the past year.

**About the Author**

Skilled writer and editor covering cybersecurity for Dark Reading.

Cybercriminals Court Traitorous Insiders via Ransom Notes

Funnull CDN rents IPs from legitimate cloud service providers and uses them to host criminal websites, continuously cycling cloud resources in and out of use and acquiring new ones to stay ahead of cyber-defender detection.

Source: Aleksia via Alamy Stock Photo

Researchers have linked the China-based Funnull content delivery network (CDN) to a malicious practice they've dubbed "infrastructure laundering," in which threat actors exploit mainstream hosting providers such as Amazon Web Services (AWS) and Microsoft Azure. The activity involves threat actors operating "hosting companies" that rent IP addresses from these providers and then map them to their criminal websites.

Researchers from Silent Push discovered the practice when they noticed that AWS and Microsoft Azure cloud hosting services are "often seen in large-scale use by threat actors," according to the recently published report. Further investigation led them to the discovery that Funnull CDN, a Chinese company that already has raised suspicions for other malicious activity, has been using this tactic to host a network of scam websites.

Funnull has rented more than 1,200 IPs from AWS and nearly 200 IPs from Microsoft, according to Silent Push. While these have nearly all been taken down as of this writing, the company continuously acquires new IPs every few weeks, using them and then dumping them before defenders can identify the malicious activity.

"While providers are consistently banning specific IP addresses used by the Funnull CDN, the pace is unfortunately not fast enough to keep up with processes being used to acquire the IPs," according to the report.

Related:EMEA CISOs Plan 2025 Cloud Security Investment

The tactic is complicated to defend against because it blends malicious activities with legitimate Web traffic, making it difficult for hosting providers to block access without creating a disruption for legitimate users, one security expert notes.

"By utilizing major providers, the bad actors make it much tougher for organizations to block IP ranges because those major providers may also be providing legitimate IP addresses for important Web services," observes Erich Kron, a security awareness advocate at cybersecurity company KnowBe4. "This precludes the ability to block large chunks of addresses easily."

**Running Multiple Scams**

Funnull CDN hosts more than 200,000 unique hostnames — approximately 95% of which are generated through domain generation algorithms (DGAs) — linked to "illicit activities such as investment scams and fake trading applications," according to the report.

"Moreover, these activities are directly associated with money laundering as a service on shell gambling websites that abuse the trademarks of a dozen popular casino brands and which are available online today," according to the report.

Related:Name That Edge Toon: In the Cloud

The activity uncovered by Silent Push is not the first time Funnull CDN has been tied to suspicious activity. Last year, the company purchased a domain, polyfill\[.\]io, that more than 100,000 websites use to deliver JavaScript code. Soon after, it was found being used as a conduit for a supply chain attack that used dynamically generated payloads, redirected users to pornographic and sports-betting sites, and could potentially lead to data theft, clickjacking, or other attacks.

At its peak in 2022, Funnull CDN's investment scam infrastructure had thousands of active domains, according to Silent Push. In 2024 that portfolio was more "modest" but still had some active sites, including cmegrouphkpd\[.\]info, which recently went offline but for the past two years had hosted a fake trading platform abusing CME Group's brand and logo.

**Is "Laundering" a Misnomer?**

AWS has made a public response to the findings in the report, verifying some of them and taking issue with others. The company said before it received Silent Push's report, it was "already aware of the activity" and was actively suspending the fraudulently acquired accounts linked to Funnull CDN's malicious activity.

"All accounts known to be linked to the activity are suspended," according to an AWS statement included in the Silent Push report. "We can confirm that there is no current risk from this activity, and no customer action is required."

Related:Tenable to Acquire Vulcan Cyber to Boost Exposure Management Focus

AWS also noted that the term "infrastructure laundering" to describe the activity is a misnomer, since it doesn't involve making illicit activity "clean."

"By using that phrase, the report insinuates that AWS is the intermediary to make the abusive activity appear legitimate and thereby harder to detect or block," the company said. "That’s incorrect."

AWS did not immediately respond to a request for comment from Dark Reading.

A Microsoft spokesperson told Dark Reading the tech giant is looking into the activity described in the report. Meanwhile, Silent Push will continue to investigate related activity from Funnull CDN and other threat actors, and will provide updates when appropriate, it said.

Businesses need to review their cloud accounts to avoid getting caught up in the activity, too. KnowBe4's Kron suggests that threat actors aren't likely to set up an account with a mainstream cloud provider with their own information; instead, they are probably using stolen accounts. These account takeovers, in turn, likely involve the use of stolen or cracked credentials, making the use of multifactor authentication (MFA) another potential way to mitigate this type of activity, he says.

Kron adds: "Organizations should review the accounts with access, audit transactions, and educate people on how to spot potential malicious activity within their cloud accounts."

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Chinese 'Infrastructure Laundering' Abuses AWS, Microsoft Cloud

Organizations and development teams need to evolve from "being prepared" to "managing the risk" of security breaches.

Kirsten Newcomer, Director, Cloud and DevSecOps Strategy, Red Hat

February 4, 2025

4 Min Read

Source: RTimages via Alamy Stock Photo

COMMENTARY

It's a perfect storm: The cost of a data breach is rising, known cyberattacks are becoming more frequent, security expertise is in short supply, and the demand for connectedness — to deliver and act on even the most sensitive of data across all devices, and all the way to the network edge — is unyielding. A recent example that affects anyone who texts between Android and iPhone devices is the Salt Typhoon attack. Meanwhile, industry and government regulations are tightening, demanding stricter proof of security measures and faster reporting of breaches, raising the stakes for "getting it wrong."

In its most recent analysis, Verizon Business found that organizations take an average of 55 days to remediate 50% of critical vulnerabilities listed in the Cybersecurity and Infrastructure Security Agency's (CISA's) Known Exploited Vulnerabilities (KEV) catalog. Unfortunately, cybercriminals respond far more quickly, with mass exploitations of the CISA KEV appearing on the Internet within a median of five days. 

That's why organizations and development teams must evolve from "being prepared" to "managing the risk" of security breaches.

Vulnerability risk management is not a new concept, but I am noticing that organizations are attempting to manage risk in one of two ways — by setting up guardrails (proactive) or patching (reactive). Neither is optimal.

The key is to balance the two, highlighting the critical importance of adopting a DevSecOps approach. "DevSec" solutions are focused on shifting security left by integrating security gates into the continuous integration and continuous delivery (CI/CD) pipeline. "SecOps" solutions are focused on detecting and responding to threats in the runtime environment. 

Here's a look at the challenges to each approach.

**The Vulnerability Patching Approach**

On its face, patching sounds simple enough: When a software vulnerability is revealed, patch it. However, that assumes that developers and security teams have the resources to quickly monitor for issues, create or identify patches, and then test and apply those patches — before cyberattackers can take advantage of the vulnerabilities themselves. 

AI will eventually help developers more efficiently identify vulnerabilities, but we're not at that point yet. Right now, AI and the demand for AI-enabled applications is only adding to the potential for unidentified vulnerabilities. AI code generation tools increase the likelihood of introducing hard-to-trace snippets of code from unidentified sources. While many of today's vulnerability scanners rely on identifying code packages rather than code snippets. 

**The Guardrails Approach**

The guardrails approach is more nuanced than the vulnerability patching approach, but it comes with its own set of challenges.

While organizations that focus on the patching approach take a more reactive stance, the guardrails approach is grounded in proactive protection and mitigating controls. These include:

*   Reducing the attack surface across the stack
    
*   Working toward continuous hardening and compliance improvement
    
*   Securing the application CI/CD pipeline using best practices, such as those recommended in slsa.dev: identifying provenance, hardening builds, verifying artifacts
    
*   Implementing automated, policy-based promotion and admission controls to ensure that applications have production-ready security before being deployed to production systems
    
*   Application of data protection controls such as encryption
    

*   Use of zones of control (fencing communications with network and API security controls) and microsegmentation
    
*   Prioritizing the use of Linux security solutions, such as SELinux and secure computing profiles (seccomp), as well as features focused on securing containers such as user namespaces and cgroupsv2
    

All of these strategies are highly effective; however, it's often challenging for organizations to integrate these and other guardrails into their infrastructure. It is even more challenging to harden existing application pipelines. Striking the balance between security and innovation has gotten more difficult as pressure to improve security increases from all sides and the impact of a security breach reverberates up and down the supply chain.

**Creating a Balanced Approach to Software Risk Management**

Used together, patching and guardrails can help organizations maintain a balance between efficient vulnerability management and proactive security monitoring and management. 

Organizations should assess risk based on key factors for their business, including what mitigating controls they have in place in the runtime environment. While the Common Vulnerability Scoring System, with Base Metrics and Temporal and Environmental Metrics, offers some indication of the level of risk a known vulnerability creates, this data does not and cannot account for the specific context of a deployed application. Organizations need to account for additional factors such as external exposure and mitigating controls.

Using open source can help, since the community is committed to transparency and clear communication about newly discovered vulnerabilities and how to get fixes for them. In fact, in addition to prioritizing the use of open source, organizations should take their cue from the open source community and establish their own processes for sharing detailed information about identified vulnerabilities — internally but also with partners and vendors following principles of responsible disclosure. 

Responsible disclosure and open data are critical for customers and communities to fully understand the vulnerabilities that may impact them, as well as to ensure that the data necessary to make appropriate, informed decisions is widely available.

Offering multiple remediation options, such as software updates and/or patches, and automated guardrails at all stages of the application life cycle including CI/CD and runtime mitigations, provides flexibility in addressing vulnerabilities across diverse environments. By combining these elements, organizations can create a comprehensive vulnerability risk management program that effectively mitigates security risks across their entire IT infrastructure.

**About the Author**

Director, Cloud and DevSecOps Strategy, Red Hat

Kirsten Newcomer works closely with Red Hat’s many security professionals across the Red Hat portfolio of open source offerings. She is a diversified software management professional with more than 20 years of experience in security, application development, and infrastructure solutions. Prior to joining Red Hat, Kirsten provided strategic direction for Black Duck’s open source security and governance solutions.

Source

DARKReading