Services offered by an obscure Iranian company known as Cloudzy are being leveraged by multiple threat actors, including cybercrime groups and nation-state crews.
Although Cloudzy is incorporated in the United States, it almost certainly operates out of Tehran, Iran – in possible violation of U.S. sanctions – under the direction of someone going by the name Hassan Nozari, Halcyon said in a new report published Tuesday.
The Texas-based cybersecurity firm said the company acts as a command-and-control provider (C2P), which provides attackers with Remote Desktop Protocol (RDP) virtual private servers and other anonymized services that ransomware affiliates and others use to pull off the cybercriminal endeavors.
[C2Ps] enjoy a liability loophole that does not require them to ensure that the infrastructure they provide is not being used for illegal operations, Halcyon said in a statement shared with The Hacker News.
The ransomware-as-a-service (RaaS) business model is a highly-evolving one, encompassing the core developers; affiliates, who carry out the attacks in exchange for a cut; and initial access brokers, who exploit known vulnerabilities or stolen credentials to obtain a foothold and sell that access to affiliates.
The emergence of C2P providers points to a new set of actors who knowingly or unwittingly provide the infrastructure to carry out the attacks.
The most unusual thing is how long various attackers operated out of this infrastructure, yet no other security vendor connected the reuse of RDP hostnames to tie them all together, Ryan Smith, Halcyon’s CTO & co-founder, told The Hacker News. Essentially attackers look to automate some of the tedious tasks required for setting up their campaigns, much like every legitimate software company, and by doing so, presumably left themselves open to correlation.
Some of the key actors that are assessed to be leveraging Cloudzy include state-sponsored entities from China (APT10), India (Sidewinder), Iran (APT33 and APT34), North Korea (Kimsuky, Konni, and Lazarus Group), Pakistan (Transparent Tribe), Russia (APT29 and Turla), and Vietnam (OceanLotus) as well as cybercrime entities (Evil Corp and FIN12).
Also in the mix are two ransomware affiliates dubbed Ghost Clown and Space Kook which use the BlackBasta and Royal ransomware strains, respectively, and the controversial Israeli spyware vendor Candiru.
It’s suspected that malicious actors are banking on the fact that purchasing VPS services from Cloudzy only requires a working email address and anonymous payment in cryptocurrency, thus making it ripe for abuse and raising the possibility that threat actors could be weaponizing little-known firms to fuel major hacks.
If your VPS server is suspended because of misuse or abusive usage such as prohibited uses: Phishing, Spamming, Child Porn, Attacking other people, etc., reads the support documentation on Cloudzy’s website. There is a $250-$1000 fine or NO WAY for unsuspension; this depends on the complaint type.
While these C2P entities are ostensibly legitimate businesses that may or may not know that their platforms are being abused for attack campaigns, they nonetheless provide a key pillar of the larger attack apparatus leveraged by some of the most advanced threat actors, the company said.
Cloudzy is just one player in the system, Smith said. If anything, the ransomware and cybercrime ecosystem is robust. Once an operation is burned, attackers will look to shift their C2 to other providers. As we saw with the collapse of Conti, all this does is leave a vacuum to be filled by another illicit organization.
(The article was updated after publication to include responses from Halcyon.)
