Multiple threat actors, including cybercrime groups and nation-state crews, leverage services offered by an obscure Iranian company called Cloudzy https://cloudzy.com. Although Cloudzy is incorporated in the United States, it almost certainly operates out of Tehran, Iran, in possible violation of US sanctions under the direction of someone named Hassan Nozari. The company acts as a command-and-control provider (C2P), which provides attackers with Remote Desktop Protocol (RDP) virtual private servers and other anonymized services that ransomware affiliates and others use to pull off cybercriminal endeavors.[1]
[C2Ps] enjoy a liability loophole that does not require them to ensure that the infrastructure they provide is not being used for illegal operations. The Ransomware-as-a-Service (RaaS) business model is a highly-evolving one, encompassing the core developers; affiliates, who carry out the attacks in exchange for a cut; and initial access brokers, who exploit known vulnerabilities or stolen credentials to obtain a foothold and sell that access to affiliates.
See: https://redskyalliance.org/xindustry/ransomware-as-a-service-went-to-business-school
The emergence of C2P providers points to a new set of actors who "knowingly or unwittingly" provide the infrastructure to carry out the attacks. Some of the key actors that are assessed to be leveraging Cloudzy include state-sponsored entities from China (APT10), India (Sidewinder), Iran (APT33 and APT34), North Korea (Kimsuky, Konni, and Lazarus Group), Pakistan (Transparent Tribe), Russia (APT29 and Turla), and Vietnam (OceanLotus) as well as cybercrime entities (Evil Corp and FIN12). Also included are two ransomware affiliates dubbed Ghost Clown and Space Kook which use the BlackBasta and Royal ransomware strains, respectively, and the controversial Israeli spyware vendor Candiru.
It is suspected that malicious actors are banking on the fact that purchasing VPS services from Cloudzy only requires a working email address and anonymous payment in cryptocurrency, thus making it ripe for abuse and raising the possibility that threat actors could be weaponizing little-known firms to fuel major hacks. If your VPS server is suspended because of misuse or abuse such as prohibited uses: Phishing, Spamming, Child Porn, Attacking other people, etc.," reads the support documentation on Cloudzy's website. "There is a $250-$1000 fine or NO WAY for unsuspension; this depends on the complaint type."
While these C2P entities are ostensibly legitimate businesses that may or may not know that their platforms are being abused for attack campaigns, they nonetheless provide a key pillar of the larger attack apparatus that some of the most advanced threat actors leverage.
This article is presented at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225, or feedback@redskyalliance.com
Weekly Cyber Intelligence Briefings:
Reporting: https://www.redskyalliance.org/
Website: https://www.redskyalliance.com/
LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/5993554863383553632
[1] https://thehackernews.com/2023/08/iranian-company-cloudzy-accused-of.html
Comments