Hosting Provider Accused of Facilitating Nation-State HacksResearchers Allege Cloudzy Lacks Know-Your-Customer Safeguards, Operates From Iran
A little-known cloud infrastructure provider has been facilitating ransomware and nation-state attacks, reported cybersecurity firm Halcyon.
Hosting provider Cloudzy, formerly known as RouterHosting, bills itself as "your VPS hosting solutions in the clouds." A virtual private server provides customers with remote access to virtualized instances. Customers can pay not only with payment cards and PayPal but also with bitcoin, ethereum and monero.
A report by Texas-based cybersecurity firm Halcyon alleges that due to poor know-your-customer safeguards - or potentially just looking the other way - including by accepting payment via cryptocurrency, Cloudzy has been facilitating copious quantities of illicit online activity, comprising an estimated 40% to 60% of all its traffic.
The allegations, whether true or not, are a reminder that cybercrime doesn't operate in a vacuum. Rather, there's a burgeoning service and support ecosystem. Services include initial access brokers who provide on-demand access to victims, botnet owners who facilitate malware-laden phishing attacks, and repacking services that make malware tougher to spot. They also include ransomware-as-a-service operators who lease their code to business partners, the affiliates who use it to infect victims, and cryptocurrency money laundering services that help criminals - operating online or off - convert their ill-gotten gains into cash.
Cloudzy's Base of Operations
Online attackers require infrastructure for launching their attacks. Some make use of bulletproof service providers, which provide VPS and other types of hosting services in return for a promise, typically for a relatively high fee, that customers can do whatever they like.
Halcyon's report alleges that Cloudzy functionally operates in a similar manner, due to a lack of proper oversight, including allowing cryptocurrency-using customers to be able to remain anonymous.
The researchers said Cloudzy's customers in recent years have included more than two dozen apparently malicious groups, including:
- Nation-state hackers: Advanced persistent threat groups tied to China, India, Iran, North Korea, Pakistan, Russia and Vietnam;
- Commercial spyware: Israeli spyware vendor Candiru, which was sanctioned by the Biden administration in November 2021 for allegedly supplying spyware to foreign governments for use in targeting officials, journalists, activists, academics, embassy workers and others;
- Ransomware: "Ghost Clown" and "Space Kook," which are respectively affiliates of the Black Basta and Royal ransomware strains;
- Cybercrime: Multiple other criminal syndicates.
Cloudzy says it is based in Cypress and the U.S., and it lists its U.S. incorporation address as being in Wyoming, while technical support routes to Las Vegas.
Halcyon counters that the company "almost certainly" operates out of Tehran, Iran. An individual named Hannan Nozari is the self-described founder of both Cloudzy and Tehran-based abrNOC, which says on its website that it "started out with hosting and VPS services." Halcyon said many of the employees listed on Cloudzy's site appear to be fictitious, except for ones that also work for abrNOC. It surmises that abrNOC runs Cloudzy.
In an interview with Reuters, Nozari claimed he lived outside Iran - but wouldn't say where - and denied that half of the traffic handled by his site was malicious, saying it was more on the order of 2%. He also confirmed abrNOC runs some of Cloudzy's operations and said Cloudzy requires a U.S. business address to give it access to American IP addresses.
Nozari also claimed to not be intentionally supporting any type of cybercrime. "If you are a knife factory, are you responsible if someone misuses the knife? Trust me, I hate those criminals and we do everything we can to get rid of them," he told Reuters.
To help defenders protect themselves against attacks routed via Cloudzy, Halcyon has published a list of remote desktop protocol hostnames it traced to the hosting provider - it provides RDP access to VPS - and said that was how it had identified that over two dozen attack groups were using the service.