A threat actor identified as “Hazy Hawk” is capitalizing on neglected DNS CNAME records associated with abandoned cloud services. This exploitation allows them to seize control of trusted subdomains belonging to governments, educational institutions, and Fortune 500 companies, which they utilize for the distribution of scams, counterfeit applications, and malicious advertisements.<\/p>\n
Research conducted by security experts reveals that Hazy Hawk begins by scanning domains for CNAME records that point to outdated cloud endpoints, a process made possible through passive DNS data validation techniques. Once an abandoned CNAME record is identified, the actor registers a new cloud resource that mirrors the original CNAME name, redirecting the legitimate subdomain to their newly established cloud-hosted site.<\/p>\n
This strategy has permitted these attackers to commandeer a range of domains, facilitating various malicious operations, including cloaking harmful activities and hosting scam content or serving as redirect hubs within broader fraud campaigns. <\/p>\n
Some significant examples of the hijacked domains include:<\/p>\n
– cdc.gov<\/strong> \u2013 U.S. Centers for Disease Control and Prevention For comprehensive insights, refer to the complete list of affected domains outlined in the research.<\/p>\n Once control of a subdomain is secured, Hazy Hawk generates numerous malicious URLs that leverage the high trust score associated with the parent domain, rendering them seemingly legitimate on search engines. Users who click on these URLs are redirected through a series of domains and traffic distribution systems (TDS) that assess their device type, IP address, VPN utilization, and other factors to identify potential victims.<\/p>\n Infoblox’s investigations have revealed that these manipulated sites are primarily employed for various forms of scams, including tech support fraud, misleading antivirus alerts, counterfeit streaming services, and phishing endeavors. Individuals duped into accepting browser push notifications receive ongoing alerts, even after navigating away from the scam sites, creating a lucrative revenue stream for Hazy Hawk.<\/p>\n In prior analyses, researchers also reported on another threat group known as “Savvy Seahorse,” which employed similar tactics utilizing CNAME records to construct a nontraditional TDS that directed users to fraudulent investment platforms.<\/p>\n The overlooked nature of CNAME records renders them particularly susceptible to covert exploitation, and it is evident that an increasing number of threat actors are attempting to leverage this vulnerability. The success of Hazy Hawk’s operations also hinges on organizations failing to eliminate DNS records after the decommissioning of cloud services, thus allowing attackers to replicate original resource names without any authentication.<\/p>\n","protected":false},"excerpt":{"rendered":" A threat actor identified as “Hazy Hawk” is capitalizing on neglected DNS CNAME records associated with abandoned cloud services. This…<\/p>\n","protected":false},"author":1,"featured_media":1295,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"Default","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[28],"tags":[326,423,521],"class_list":["post-1294","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog","tag-cloud","tag-dns","tag-subdomain"],"acf":[],"yoast_head":"\n
\n– honeywell.com<\/strong> \u2013 Multinational conglomerate
\n– berkeley.edu<\/strong> \u2013 University of California, Berkeley
\n– michelin.co.uk<\/strong> \u2013 Michelin Tires UK
\n– ey.com, pwc.com, deloitte.com<\/strong> \u2013 Global “Big Four” consulting firms
\n– ted.com<\/strong> \u2013 Nonprofit media organization (TED Talks)
\n– health.gov.au<\/strong> \u2013 Australian Department of Health
\n– unicef.org<\/strong> \u2013 United Nations Children’s Fund
\n– nyu.edu<\/strong> \u2013 New York University
\n– unilever.com<\/strong> \u2013 Global consumer goods company
\n– ca.gov<\/strong> \u2013 California State Government<\/p>\n