Cloudzy Accused for Providing Infrastructure to APT Hackers


The potentially unaware C2P entities that serve as legit businesses could be exploited easily by threat actors for attack campaigns and other illicit purposes.

While scenario like this could allow advanced threat actors to build and run an extensive attack infrastructure, as this scenario stands as a key pillar.

Researchers at Halcyon Research and Engineering Team identified recently that Cloudzy, an Iranian VPS hosting provider with 15+ data centers all around the globe, had been leasing and reselling their server space to 17 different state-sponsored hacking groups from the following countries:-

  • China
  • Russia
  • Iran
  • North Korea
  • India
  • Pakistan
  • Vietnam

Cloudzy Providing Infrastructure to APT Hackers

Halcyon labeled Cloudzy and similar ISPs as “Command-and-Control Providers” (C2P), an unexplored part of the ransomware economy.

However, the most striking thing is how efficiently legitimate ISPs are aiding nation-state threat actors, ransomware operators, and sanctioned entities without needing to stop illicit actions.

Profiting from the global attack ecosystem, these C2Ps become major players in the ransomware economy, knowingly or unknowingly.

Cloudzy appears legit on social media, but its CEO, Hannan Nozari, remained silent on the report, and despite its U.S. claims, researchers trace its origin to Tehran.

Moreover, this platform offers RDP, VPS, and other services with no questions asked, utilized by criminals and state-sponsored hackers to obfuscate origins and host attack tools.

New Ransomware affiliates

Halcyon reveals the following new ransomware affiliates using BlackBasta and Royal, previously undisclosed:-

Hackers gain system access via Cloudzy’s IP address. Ghost Clown shifted from Conti to Black Basta, while Space Kook moved from Quantum Locker to Royal, using infrastructure linked to Exotic Lily by Google’s Threat Analysis Group.

A deep investigation revealed a link to abrNOC, an Iranian firm founded by Hannan Nozari in Tehran. Eight Cloudzy employees in Iran showed crossover with abrNOC staff.

IoCs

Halcyon urges technical readers to search for indicators of compromise related to C2P Cloudzy and be vigilant about the 11 identified RDP hostnames to detect ongoing attacks and prevent future malicious activity.

Here below we have mentioned the IoCs:-

SHA256

  • 4d56e0a878b8a0f04462e7aa2a47d69a6f3a31703563025fb40fb82bab2a2f05

‍SHA256

  • b27ca5155e42e372d37cf2bcbb1f159627881ecbae2e51d41f414429599d37a7

‍IP Addresses

  • 23.19.58[.]181‍
  • 139.177.146[.]152
  • 172.93.201[.]120

Domain

Netblocks

  • 104.237.193.40/29
  • 104.237.193.56/29
  • 104.237.194.152/29
  • 104.237.219.32/29
  • 104.237.219.40/29
  • 167.88.4.0/29
  • 167.88.4.112/29
  • 167.88.4.16/29
  • 167.88.4.24/29
  • 167.88.4.8/29
  • 172.86.120.0/22
  • 172.93.179.8/29
  • 172.93.179.24/29
  • 172.93.179.32/29
  • 172.93.179.40/29
  • 172.93.179.72/29
  • 172.93.179.96/29
  • 172.93.179.104/29
  • 172.93.179.112/29
  • 172.93.179.120/29
  • 172.93.179.128/29
  • 172.93.179.144/29
  • 172.93.179.152/29
  • 172.93.179.160/29
  • 172.93.179.176/29
  • 172.93.179.184/29
  • 172.93.179.192/29
  • 172.93.179.200/29
  • 172.93.179.208/29
  • 172.93.179.224/29
  • 172.93.179.232/29
  • 172.93.179.240/29
  • 172.93.179.248/29
  • 172.93.181.0/24
  • 172.93.193.0/24
  • 172.93.201.0/24
  • 172.93.204.120/29
  • 172.93.205.128/29
  • 172.93.205.136/29
  • 172.93.205.144/29
  • 64.44.101.0/24
  • 64.44.102.0/24
  • 64.44.134.0/29
  • 64.44.134.16/29
  • 64.44.134.24/29
  • 64.44.134.32/29
  • 64.44.134.40/29
  • 64.44.134.48/29
  • 64.44.134.56/29
  • 64.44.135.0/24
  • 64.44.140.232/29
  • 64.44.141.0/24
  • 64.44.51.168/29
  • 64.44.97.0/24
  • 64.44.98.0/24

Keep yourself informed about the latest Cyber Security News by following us on GoogleNews, Linkedin, Twitter, and Facebook.





Source link