Full Report
In an effort to blend in and make their malicious traffic tougher to block, hosting firms catering to cybercriminals in China and Russia increasingly are funneling their operations through major U.S. cloud providers. Research published this week on one such outfit -- a sprawling network tied to Chinese organized crime gangs and aptly named "Funnull" -- highlights a persistent whac-a-mole problem facing cloud services.
Analysis Summary
# Threat Actor: Funnull
## Attribution & Identity
Funnull is identified as a sprawling network tied to **Chinese organized crime gangs**. It functions as a Chinese content delivery network (CDN). It is associated with entities like **Fangneng CDN** and its parent company, **ACB Group**. A previous owner of an acquired CDN alleged their family was coerced into selling the company, which is now being used by others for illicit activities.
## Activity Summary
Funnull operates by utilizing major U.S. cloud providers (specifically **Amazon AWS** and **Microsoft Azure**) as part of an **"infrastructure laundering"** methodology. Its key activities include hosting:
* Fake trading applications.
* Pig butchering scams.
* Gambling websites.
* Retail phishing pages.
**Key Campaigns/Events:**
* **Supply-Chain Attack (Summer 2024):** Funnull acquired the domain **polyfill\[.\]io** (previously a legitimate open-source code library) and subsequently redirected tens of thousands of legitimate linking domains to malicious sites.
* **Hosting Gambling Operations:** Promoting gambling sites and junkets linked to the **Suncity Group**, which is implicated in laundering money for the North Korean Lazarus Group. Funnull may be helping Chinese users evade the "Great Firewall" to access these gambling destinations.
* **Persistent Abuse:** Researchers found that despite AWS suspending known linked accounts, Funnull continued to forward malicious traffic through auto-generated domain chains hosted on AWS and Azure infrastructure using *infrastructure laundering*.
## Tactics, Techniques & Procedures
- **Infrastructure Laundering:** Relaying malicious traffic through U.S. cloud providers (AWS, Azure) to obscure its origin and make blocking difficult.
- **Domain Hijacking/Acquisition:** Acquiring legitimate, high-traffic domains (e.g., polyfill\[.\]io) to leverage existing trust and link to criminal infrastructure via supply-chain attacks.
- **Network Obfuscation:** Using a "dizzying chain of auto-generated domain names" to redirect traffic to malicious sites.
- **Coercion/Malicious Acquisition:** Implied use of threats and coercion to take over existing CDN infrastructure (as suggested by the former owner of Anjie CDN).
## Targeting
- **Sectors:** Financial services (phishing/fraud), Gambling/Casinos, Technology (supply chain targeting users of libraries).
- **Geography:** Primarily targeting users attempting to access gambling services from within China (to bypass the Great Firewall), while the infrastructure is hosted in the US/under management by Chinese crime outfits.
- **Victims:** End-users targeted by fake trading apps, pig butchering scams, and phishing pages. Tens of thousands of sites linked to the polyfill\[.\]io domain were affected by the supply-chain attack.
## Tools & Infrastructure
- **Malware families used:** Fake trading apps, phishing tools (implied).
- **Infrastructure:** Hosted primarily on **Amazon AWS** and **Microsoft Azure** cloud services. Utilizes auto-generated domain names for traffic redirection. Associated with obtaining infrastructure through fraudulent means where payment is not rendered (according to AWS damage claims).
## Implications
Funnull exemplifies the growing trend of **"infrastructure laundering,"** where cybercriminals intentionally use legitimate, reputable Western cloud services for hosting criminal infrastructure. This poses a persistent "whac-a-mole" problem for cloud providers and highlights the challenge of tracing criminal activities originating from actors with ties to organized crime (Triads) and state-backed entities (Lazarus Group connections via Suncity). The situation underscores the need for stricter customer identification rules for IaaS providers, as proposed by the U.S. Department of Commerce.
## Mitigations
- **Infrastructure Auditing:** U.S. cloud providers must establish internal policies to reclaim IP space and ban CDNs that rent space to entities hosting numerous criminal websites (as suggested by Silent Push).
- **Proactive Reporting:** Security researchers should utilize established abuse reporting channels (like AWS Trust & Safety) rather than relying solely on media leaks to ensure quick mitigation response.
- **Customer Identification Programs (CIP):** Support and formalize measures, like the Commerce Department's proposed rule, to force IaaS providers to collect sufficient data to determine if customers are foreign persons involved in malicious activity.