An obscure Iranian company has come under scrutiny recently for being used by multiple threat actors. Cloudzy’s services have recently been questioned for helping nation-state crews and cybercrime groups through their services. According to Halcyon, although Cloudzy is incorporated in the United States, it is very likely that it operates from Tehran, Iran. This is a possible violation of US sanctions. Furthermore, he claimed that it runs under the direction of someone who goes by the name of Hassan Nozari.
In a recent analysis, the Texas-based cybersecurity company Halcyon said that Cloudzy serves as a source of command-and-control (C2P). By giving attackers access to virtual private servers (RPCs) and other anonymous services using the Remote Desktop Protocol (RDP), ransomware affiliates and other hackers might use them to further their illicit activities.
Interestingly, C2Ps such as Cloudzy take advantage of a liability loophole that spares them from having to guarantee that the infrastructure they provide is used illegally. This raises questions about how these businesses assist cybercrime activities without being held accountable for their actions.
Cloudzy uses a ransomware-as-a-service (RaaS) model which is constantly evolving and involves several parties. It consists of the original access brokers who obtain entry points through known vulnerabilities or stolen credentials and then sell that access to affiliates, affiliates who carry out the attacks in exchange for a percentage of the revenues, and the core developers who produce the ransomware.
A new class of players has emerged as a result of the growth of command-and-control provider (C2P) businesses. This includes Cloudzy, who either intentionally or unknowingly provide the infrastructure needed to execute these attacks. They are crucial in providing cybercriminals with the means to carry out their nefarious operations without having to participate in the attacks themselves.
Some of the key actors believed to be leveraging Cloudzy include state-sponsored entities from India, North Korea, Iran, China, Pakistan, Russia, and Vietnam. These include Sidewinder, Kimsuky, Konni, Lazarus, APT33, APT34, APT 10, Transparent Tribe, APT29, Turla, and OceanLotus.
The Israeli spyware vendor Candiru seems to also be participating, as well as two ransomware affiliates named Ghost Clown and Space Kook.
The ease with which hostile actors can make use of Cloudzy’s services is cause for concern. It is an easy platform for abusers to obtain virtual private servers (VPS) with just a functional email address and make anonymous cryptocurrency payments. This creates the terrifying possibility that threat actors could use obscure businesses like Cloudzy as a springboard for extensive breaches and cyberattacks.
Read Also