An Iranian company known as Cloudzy, though obscure, is purportedly providing services employed by a diverse range of threat actors, including cybercrime syndicates and state-backed hackers.
“It’s highly probable that Cloudzy, despite being registered in the U.S., operates from Tehran, Iran, likely contravening U.S. sanctions, under the guidance of an individual identified as Hassan Nozari,” asserted Halcyon in a report released on Tuesday.
According to the cybersecurity firm based in Texas, Cloudzy functions as a command-and-control provider (C2P). This role involves supplying cyber attackers with Remote Desktop Protocol (RDP) virtual private servers and other anonymizing services that are used by ransomware affiliates and similar entities to execute cybercrimes.
“Command-and-Control Providers exist in a liability grey area that doesn’t mandate them to verify that the infrastructure they supply isn’t utilized for illicit activities,” Halcyon shared in a statement with The Hacker News.
The business model of Ransomware-as-a-Service (RaaS) is continually evolving, involving core developers; affiliates, who execute attacks in return for a percentage; and initial access brokers, who exploit known vulnerabilities or pilfered credentials to gain access, and then sell this access to affiliates.
The emergence of C2P providers indicates the rise of a new group of actors who “either knowingly or inadvertently” provide the infrastructure necessary to launch these attacks.
Among the principal entities believed to be making use of Cloudzy’s services are state-sponsored groups from China (APT10), India (Sidewinder), Iran (APT33 and APT34), North Korea (Kimsuky, Konni, and Lazarus Group), Pakistan (Transparent Tribe), Russia (APT29 and Turla), and Vietnam (OceanLotus), in addition to cybercrime groups (Evil Corp and FIN12).
Furthermore, two ransomware affiliates, Ghost Clown and Space Kook, which deploy the BlackBasta and Royal ransomware strains respectively, and the contentious Israeli spyware merchant Candiru, are also implicated.
It’s suspected that malicious entities are capitalizing on the fact that procuring VPS services from Cloudzy merely requires a functional email address and anonymous cryptocurrency payment, which renders it prone to exploitation. This raises concerns that threat actors could be leveraging lesser-known firms to power major cyber attacks.