In a new report by researchers at Halcyon, researchers detail an ISP with a legal US business profile identified as Cloudzy that is facilitating ransomware attacks and state-sponsored APT operations by providing C2P services to more than 20 hacking groups, including ransomware operators, spyware vendors, and state-sponsored APT actors.
Cloudzy does not verify customer identities and accepts anonymous crypto payments, and, despite terms and conditions prohibiting the use of its services for illicit activities, more than half of the servers hosted by Cloudzy appear to directly support malicious activities on infrastructure run from the IP space owned by other ISPs.
The company is registered in the US, but really only exists on paper, with its ‘employees’ being those of the hosting firm abrNOC in Tehran. Furthermore, Halcyon discovered infrastructure associated with hacking groups tied to Chinese, Iranian, Indian, North Korean, Pakistani, Russian, and Vietnamese governments, by the sanctioned Israeli spyware vendor Candiru, and other cybercrime and ransomware groups.
“While these C2P entities are ostensibly legitimate businesses that may or may not know that their platforms are being abused for attack campaigns, they nonetheless provide a key pillar of the larger attack apparatus leveraged by some of the most advanced threat actors,” said Halcyon on their blog.
Carol Volk, EVP, BullWall had this comment:
“Ransomware actors are knowingly or unknowingly supported by ISPs and crypto networks. They are a profitable and growing business model and all we can do is be prepared for the coming attack.
“In the near term, AI automation will initially accelerate the ransomware problem, while companies and researchers continue to improve upon methods of applying automation and AI approaches to their cyber defenses. Research by IBM found that fully 64% of respondents are already using AI to improve cyber defenses and response times, and 29% are evaluating implementation to improve their cyber defenses. AI will continue to improve the ability to identify network breaches and implement containment strategies, stopping the attacks before they can remove or encrypt data.
Willy Leichter, VP, Cyware follows up with this:
“This is another example of the well-developed hacking-as-a-service industry, and the limitations of blocking traffic based on location. While this is thinly veiled, there is certainly a lot of infrastructure in the US and other countries being controlled by illegal hacking groups. We need to always have a zero-trust mindset – don’t assume anything is safe because it’s from a reputable location.”
I have to admit that this is pretty crafty and a great way for these threat actors to get to victims. I wonder how many other setups like these exist? It would be in our interest to find out quickly.
Like this:
Like Loading...
Related
This entry was posted on August 3, 2023 at 8:30 am and is filed under Commentary with tags Security. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
An ISP Named Cloudzy Is Discovered To Be Supporting Cybercrime
In a new report by researchers at Halcyon, researchers detail an ISP with a legal US business profile identified as Cloudzy that is facilitating ransomware attacks and state-sponsored APT operations by providing C2P services to more than 20 hacking groups, including ransomware operators, spyware vendors, and state-sponsored APT actors.
Cloudzy does not verify customer identities and accepts anonymous crypto payments, and, despite terms and conditions prohibiting the use of its services for illicit activities, more than half of the servers hosted by Cloudzy appear to directly support malicious activities on infrastructure run from the IP space owned by other ISPs.
The company is registered in the US, but really only exists on paper, with its ‘employees’ being those of the hosting firm abrNOC in Tehran. Furthermore, Halcyon discovered infrastructure associated with hacking groups tied to Chinese, Iranian, Indian, North Korean, Pakistani, Russian, and Vietnamese governments, by the sanctioned Israeli spyware vendor Candiru, and other cybercrime and ransomware groups.
“While these C2P entities are ostensibly legitimate businesses that may or may not know that their platforms are being abused for attack campaigns, they nonetheless provide a key pillar of the larger attack apparatus leveraged by some of the most advanced threat actors,” said Halcyon on their blog.
Carol Volk, EVP, BullWall had this comment:
“Ransomware actors are knowingly or unknowingly supported by ISPs and crypto networks. They are a profitable and growing business model and all we can do is be prepared for the coming attack.
“In the near term, AI automation will initially accelerate the ransomware problem, while companies and researchers continue to improve upon methods of applying automation and AI approaches to their cyber defenses. Research by IBM found that fully 64% of respondents are already using AI to improve cyber defenses and response times, and 29% are evaluating implementation to improve their cyber defenses. AI will continue to improve the ability to identify network breaches and implement containment strategies, stopping the attacks before they can remove or encrypt data.
Willy Leichter, VP, Cyware follows up with this:
“This is another example of the well-developed hacking-as-a-service industry, and the limitations of blocking traffic based on location. While this is thinly veiled, there is certainly a lot of infrastructure in the US and other countries being controlled by illegal hacking groups. We need to always have a zero-trust mindset – don’t assume anything is safe because it’s from a reputable location.”
I have to admit that this is pretty crafty and a great way for these threat actors to get to victims. I wonder how many other setups like these exist? It would be in our interest to find out quickly.
Share this:
Like this:
Related
This entry was posted on August 3, 2023 at 8:30 am and is filed under Commentary with tags Security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.