Cloud Abuse Is Getting Smarter: How Attackers “Launder” Infrastructure on AWS & Azure—and What You Can Do About It

A new wave of “infrastructure laundering” lets threat actors spin up seemingly legitimate cloud resources—often with stolen or fraudulent accounts—and weaponize them for phishing, fraud, data theft, and even supply-chain attacks. Recent reporting highlights a crime network (“FUNNULL CDN”) that repeatedly rents fresh IP space from AWS and Azure and maps it to malicious domains, keeping operations alive despite takedowns. Microsoft and AWS tooling can spot parts of this behavior, but defenders need stronger egress controls, API-key governance, and automated, real-time blocking to keep up.

What the new research surfaced

• Infrastructure laundering at scale. Threat actors rent thousands of IPs from mainstream clouds and chain them to criminal domains via CNAMEs; when takedowns land, they just rent fresh IPs and re-map. FUNNULL alone reportedly rented 1,200+ IPs from AWS and ~200 from Azure. Silent Push

• API key theft & misuse. Stolen keys bypass app-level controls and can even be routed through reverse proxies to look legitimate. Cyber Security News

• Misconfigurations still matter. Public buckets, weak policies, and permissive identities continue to be easy wins for attackers. Cyber Security News

• Living-off-the-cloud commands. Azure’s VM Run Command (e.g., az vm run-command ... --command-id RunShellScript) is powerful for admins—and attractive for adversaries who’ve gained permissions. Lock it down and monitor it. Microsoft Learn

• Collateral via supply chain. FUNNULL’s earlier takeover of a popular JS library fueled mass web-scale exposure—showing how cloud abuse and supply-chain risk can reinforce each other. Silent Push

Sources: Coverage and technical findings published Feb 3, 2025 and Jan 30, 2025, respectively.

Why this is hard to defend

Blocking all of AWS or Azure is a non-starter because your apps and customers rely on those networks. Laundered cloud IPs look benign and rotate quickly, outpacing manual blocklists and ticket-driven takedowns. The problem becomes a speed and precision challenge: detect fast, decide fast, and enforce at the network edge without breaking good traffic.

A practical playbook (you can start today)

1) Identity and control plane

• Constrain cloud-native remote execution. In Azure, restrict who can invoke Run Command, alert on creation and invocation events, and require just-in-time elevation and MFA.
• Harden API keys. Rotate keys, scope by least privilege, and gate usage by network, time, and service. Monitor for anomalous patterns such as new locations, spikes, and off-hours use.

2) Workload and posture

• Enable managed threat detection across all accounts and subscriptions, and wire findings to automated responses. Examples include AWS GuardDuty and Microsoft Defender for Cloud.
• Eliminate easy wins. Close public storage, enforce encryption, and apply baseline benchmarks and policies (Azure Policy, AWS SCPs).

3) Network: default-deny egress with precision allow

• Stop phone-home. Move to default-deny egress from workloads, then allow only required FQDNs and private endpoints to blunt exfiltration, C2, and abuse of management channels.
• CIDR minimization. Collapse reputational blocklists to the smallest safe CIDRs to keep enforcement fast and scalable as adversaries rotate IPs.

4) Detection and response automation

• Auto-quarantine patterns. Quarantine workloads that show sudden egress to newly observed hyperscaler IPs, mass DNS to DGA-like domains, or anomalous Run Command activity. Feed GuardDuty and Defender findings into auto-mitigation.

What this means for regulated and high-risk sectors

If you operate under SOC 2, HIPAA, CJIS, DFARS, or similar, assume auditors will ask how you prevent your environments from being used as attack staging and how you prevent your workloads from trusting abusive cloud IPs. Treat this as part of third-party risk and egress governance, not only security operations.

The Aegis point of view

No more tolerating attacks. No more DDoS. No more.

Aegis is piloting an Azure-native, real-time auto-mitigation layer designed to make infrastructure laundering unprofitable and DDoS tolerance obsolete. The approach focuses on:

• Edge-first enforcement with instant, policy-driven egress deny and tight FQDN and private-link allowlists.
• Dynamic mini-CIDR intelligence that rolls blocks on malicious cloud IP clusters without collateral damage to legitimate tenants.
• Control-plane hardening with opinionated defaults around high-risk capabilities such as Run Command, plus just-in-time access and continuous verification.
• Autonomous response that streams cloud findings into deterministic actions such as quarantine, key revocation, and route black-holing in seconds.

We will share more as we move from private pilots to controlled releases on Azure. To participate in early evaluations, contact us.

Executive checklist

• Enable GuardDuty and Defender for Cloud organization-wide and verify findings flow to automation.
• Implement default-deny egress with FQDN and private endpoint allowlists.
• Lock down Azure Run Command permissions and alerts.
• Rotate and scope API keys with IP, time, and service constraints.
• Continuously compress and refresh IP reputation blocks using mini-CIDR.
• Test auto-quarantine and key-revocation runbooks quarterly.

References

• Cyber Security News: Hackers abusing AWS and Microsoft Azure
• Silent Push: Infrastructure laundering research
• Microsoft Learn: Run Command for Azure VMs
• Amazon GuardDuty
• Microsoft Defender for Cloud