The potentially unaware C2P entities that serve as legit businesses could be exploited easily by threat actors for attack campaigns and other illicit purposes.
While scenario like this could allow advanced threat actors to build and run an extensive attack infrastructure, as this scenario stands as a key pillar.
Researchers at Halcyon Research and Engineering Team identified recently that Cloudzy, an Iranian VPS hosting provider with 15+ data centers all around the globe, had been leasing and reselling their server space to 17 different state-sponsored hacking groups from the following countries:-
- China
- Russia
- Iran
- North Korea
- India
- Pakistan
- Vietnam
Cloudzy Providing Infrastructure to APT Hackers
Halcyon labeled Cloudzy and similar ISPs as “Command-and-Control Providers” (C2P), an unexplored part of the ransomware economy.
However, the most striking thing is how efficiently legitimate ISPs are aiding nation-state threat actors, ransomware operators, and sanctioned entities without needing to stop illicit actions.
Profiting from the global attack ecosystem, these C2Ps become major players in the ransomware economy, knowingly or unknowingly.
Cloudzy appears legit on social media, but its CEO, Hannan Nozari, remained silent on the report, and despite its U.S. claims, researchers trace its origin to Tehran.
Moreover, this platform offers RDP, VPS, and other services with no questions asked, utilized by criminals and state-sponsored hackers to obfuscate origins and host attack tools.
New Ransomware affiliates
Halcyon reveals the following new ransomware affiliates using BlackBasta and Royal, previously undisclosed:-
Hackers gain system access via Cloudzy’s IP address. Ghost Clown shifted from Conti to Black Basta, while Space Kook moved from Quantum Locker to Royal, using infrastructure linked to Exotic Lily by Google’s Threat Analysis Group.
A deep investigation revealed a link to abrNOC, an Iranian firm founded by Hannan Nozari in Tehran. Eight Cloudzy employees in Iran showed crossover with abrNOC staff.
IoCs
Halcyon urges technical readers to search for indicators of compromise related to C2P Cloudzy and be vigilant about the 11 identified RDP hostnames to detect ongoing attacks and prevent future malicious activity.
Here below we have mentioned the IoCs:-
SHA256
- 4d56e0a878b8a0f04462e7aa2a47d69a6f3a31703563025fb40fb82bab2a2f05
SHA256
- b27ca5155e42e372d37cf2bcbb1f159627881ecbae2e51d41f414429599d37a7
IP Addresses
- 23.19.58[.]181
- 139.177.146[.]152
- 172.93.201[.]120
Domain
Netblocks
- 104.237.193.40/29
- 104.237.193.56/29
- 104.237.194.152/29
- 104.237.219.32/29
- 104.237.219.40/29
- 167.88.4.0/29
- 167.88.4.112/29
- 167.88.4.16/29
- 167.88.4.24/29
- 167.88.4.8/29
- 172.86.120.0/22
- 172.93.179.8/29
- 172.93.179.24/29
- 172.93.179.32/29
- 172.93.179.40/29
- 172.93.179.72/29
- 172.93.179.96/29
- 172.93.179.104/29
- 172.93.179.112/29
- 172.93.179.120/29
- 172.93.179.128/29
- 172.93.179.144/29
- 172.93.179.152/29
- 172.93.179.160/29
- 172.93.179.176/29
- 172.93.179.184/29
- 172.93.179.192/29
- 172.93.179.200/29
- 172.93.179.208/29
- 172.93.179.224/29
- 172.93.179.232/29
- 172.93.179.240/29
- 172.93.179.248/29
- 172.93.181.0/24
- 172.93.193.0/24
- 172.93.201.0/24
- 172.93.204.120/29
- 172.93.205.128/29
- 172.93.205.136/29
- 172.93.205.144/29
- 64.44.101.0/24
- 64.44.102.0/24
- 64.44.134.0/29
- 64.44.134.16/29
- 64.44.134.24/29
- 64.44.134.32/29
- 64.44.134.40/29
- 64.44.134.48/29
- 64.44.134.56/29
- 64.44.135.0/24
- 64.44.140.232/29
- 64.44.141.0/24
- 64.44.51.168/29
- 64.44.97.0/24
- 64.44.98.0/24
Source: https://cybersecuritynews.com/cloud-hosting-provider-accused-ransomware/