UPDATE: Cloudzy Command and Control Provider Report

The Halcyon Research and Engineering Team recently shed light on another major player in the Ransomware Economy that has been central to major ransomware attacks and multiple state-sponsored APT operations: Command-and-Control Providers (C2P) and sell services to threat actors while assuming an otherwise legal business profile.  

Halcyon identified one in particular that stood out: Cloudzy. It was observed that the ISP was providing services to APT groups tied to the Chinese, Iranian, North Korean, Russian, Indian, Pakistani, and Vietnamese governments; a sanctioned Israeli spyware vendor whose tools are known to target civilians; several criminal syndicates and ransomware affiliates.  

The report, titled Cloudzy with a Chance of Ransomware: Unmasking Command-and-Control Providers (C2Ps), assessed that potentially 40% - 60% of the overall activity at Cloudzy was malicious in nature.  

The initial response from Cloudzy was minimal. Prior to the report being published, Cloudzy CEO Hassan Nozari told Reuters his company "couldn’t be held responsible for its clients," of which he estimated just 2% were malicious.

Nozari further stated, “If you are a knife factory, are you responsible if someone misuses the knife? Trust me I hate those criminals and we do everything we can to get rid of them.”  

Cloudzy provided another statement to CSO after the report was published that stated: “At this moment, our team is actively investigating the claims made in the reports through proper legal channels. We believe it is essential to thoroughly review the allegations to ensure a fair and accurate understanding of the situation. Once the investigation is complete, we will be more than willing to provide a comprehensive statement and engage in an open dialogue about the findings.”  

Halcyon looks forward to reviewing their findings. Meanwhile, the response to the report from security professionals and the wider community has been tremendous, with more intelligence and inquiries coming in daily. While we can’t share everything publicly, here’s a few items of particular interest:  

Abuse of DuckDNS  

A skilled Threat Intelligence Analyst sent us some IOCs indicating that, based on the report, they had identified a number of hosts abusing DuckDNS services.  

They said that the format of the hostnames was <CaliforniaCity>.duckdns[.]org and that they were identified as active mail servers at this IP address:  

    167.88.168[.]99 - RouterHosting LLC  

While unverified by Halcyon at the time of writing this blog, the source of this information is a well-respected and trusted contributor to the security community. Halcyon researchers are looking into this and other potentially related IOCs as more information about Cloudzy/abrNOC is surfaced and being shared with us.  

IPXO  

Shortly after the report was published, the team at IPXO reached out to us with some concerns, as Cloudzy was a customer leasing 14 IP ranges which they were reselling. IPXO provides full-cycle IP management, functional IP leasing and monetization ecosystems.  

The IPXO representative informed Halcyon that, based on the research report, they are taking and will continue to take action to prevent additional abuse. They asked for additional intelligence from Halcyon, which was provided for their consideration.  

We want to specifically commend IPXO for taking swift and decisive action in stating which IP addresses were leased by Cloudzy and initiating actions to prevent further abuse.  

abrNOC  

In the report, Halcyon researchers detailed how they researched Cloudzy’s corporate records, as well as some of the people who were purported to work for Cloudzy.  

Halcyon discovered what appears to be a mix of seemingly fictitious people and an office full of employees in Tehran, many of whom also appeared to be working for two businesses at the same time: the American company Cloudzy and the Iranian company abrNOC.  

Shortly after the report was published, abrNOC deleted their Twitter/X account:  

Another observer who had read the report and tried to navigate to the abrNOC website was presented with a phishing alert from their antivirus software:  

We also observed that abrNOC started blocking access to their website:  

‍

The plot thickens... story will continue to be updated.

‍

Collaborating with Halcyon  

Halcyon welcomes the opportunity to work with the community on any identified malicious activity related to the C2P Cloudzy. You can e-mail us at threat_research@halcyon.ai.

‍

Halcyon.ai is the industry’s first dedicated, adaptive security platform that combines multiple advanced proprietary prevention engines along with AI models focused specifically on stopping ransomware – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile Q2 2023 (PDF).