UPDATE: Cloudzy Command and Control Provider Report
August 4, 2023
The Halcyon Research and Engineering Team recently shed light on another major player in the Ransomware Economy that has been central to major ransomware attacks and multiple state-sponsored APT operations: Command-and-Control Providers (C2P) and sell services to threat actors while assuming an otherwise legal business profile.
Halcyon identified one in particular that stood out: Cloudzy. It was observed that the ISP was providing services to APT groups tied to the Chinese, Iranian, North Korean, Russian, Indian, Pakistani, and Vietnamese governments; a sanctioned Israeli spyware vendor whose tools are known to target civilians; several criminal syndicates and ransomware affiliates.
The initial response from Cloudzy was minimal. Prior to the report being published, Cloudzy CEO Hassan Nozari told Reuters his company "couldn’t be held responsible for its clients," of which he estimated just 2% were malicious.
Nozari further stated, “If you are a knife factory, are you responsible if someone misuses the knife? Trust me I hate those criminals and we do everything we can to get rid of them.”
Cloudzy provided another statement to CSO after the report was published that stated: “At this moment, our team is actively investigating the claims made in the reports through proper legal channels. We believe it is essential to thoroughly review the allegations to ensure a fair and accurate understanding of the situation. Once the investigation is complete, we will be more than willing to provide a comprehensive statement and engage in an open dialogue about the findings.”
Halcyon looks forward to reviewing their findings. Meanwhile, the response to the report from security professionals and the wider community has been tremendous, with more intelligence and inquiries coming in daily. While we can’t share everything publicly, here’s a few items of particular interest:
Abuse of DuckDNS
A skilled Threat Intelligence Analyst sent us some IOCs indicating that, based on the report, they had identified a number of hosts abusing DuckDNS services.
They said that the format of the hostnames was <CaliforniaCity>.duckdns[.]org and that they were identified as active mail servers at this IP address:
167.88.168[.]99 - RouterHosting LLC
While unverified by Halcyon at the time of writing this blog, the source of this information is a well-respected and trusted contributor to the security community. Halcyon researchers are looking into this and other potentially related IOCs as more information about Cloudzy/abrNOC is surfaced and being shared with us.
Shortly after the report was published, the team at IPXO reached out to us with some concerns, as Cloudzy was a customer leasing 14 IP ranges which they were reselling. IPXO provides full-cycle IP management, functional IP leasing and monetization ecosystems.
The IPXO representative informed Halcyon that, based on the research report, they are taking and will continue to take action to prevent additional abuse. They asked for additional intelligence from Halcyon, which was provided for their consideration.
We want to specifically commend IPXO for taking swift and decisive action in stating which IP addresses were leased by Cloudzy and initiating actions to prevent further abuse.
In the report, Halcyon researchers detailed how they researched Cloudzy’s corporate records, as well as some of the people who were purported to work for Cloudzy.
Halcyon discovered what appears to be a mix of seemingly fictitious people and an office full of employees in Tehran, many of whom also appeared to be working for two businesses at the same time: the American company Cloudzy and the Iranian company abrNOC.
Shortly after the report was published, abrNOC deleted their Twitter/X account:
Another observer who had read the report and tried to navigate to the abrNOC website was presented with a phishing alert from their antivirus software:
We also observed that abrNOC started blocking access to their website:
The plot thickens... story will continue to be updated.
Collaborating with Halcyon
Halcyon welcomes the opportunity to work with the community on any identified malicious activity related to the C2P Cloudzy. You can e-mail us at firstname.lastname@example.org.
Halcyon is the industry’s first dedicated, adaptive security platform focused specifically on stopping ransomware attacks. Halcyon is built by attackers to stop attackers. The solution is a lightweight agent that combines multiple proprietary advanced prevention engines along with AI models trained solely on ransomware.
Interested in getting a demo? Fill out the form and let’s talk!