Hazy Hawk Group Leverages DNS Misconfigurations to Compromise Trusted Domains

A threat actor identified as “Hazy Hawk” is capitalizing on neglected DNS CNAME records associated with abandoned cloud services. This exploitation allows them to seize control of trusted subdomains belonging to governments, educational institutions, and Fortune 500 companies, which they utilize for the distribution of scams, counterfeit applications, and malicious advertisements.

Research conducted by security experts reveals that Hazy Hawk begins by scanning domains for CNAME records that point to outdated cloud endpoints, a process made possible through passive DNS data validation techniques. Once an abandoned CNAME record is identified, the actor registers a new cloud resource that mirrors the original CNAME name, redirecting the legitimate subdomain to their newly established cloud-hosted site.

This strategy has permitted these attackers to commandeer a range of domains, facilitating various malicious operations, including cloaking harmful activities and hosting scam content or serving as redirect hubs within broader fraud campaigns.

Some significant examples of the hijacked domains include:

– cdc.gov – U.S. Centers for Disease Control and Prevention
– honeywell.com – Multinational conglomerate
– berkeley.edu – University of California, Berkeley
– michelin.co.uk – Michelin Tires UK
– ey.com, pwc.com, deloitte.com – Global “Big Four” consulting firms
– ted.com – Nonprofit media organization (TED Talks)
– health.gov.au – Australian Department of Health
– unicef.org – United Nations Children’s Fund
– nyu.edu – New York University
– unilever.com – Global consumer goods company
– ca.gov – California State Government

For comprehensive insights, refer to the complete list of affected domains outlined in the research.

Once control of a subdomain is secured, Hazy Hawk generates numerous malicious URLs that leverage the high trust score associated with the parent domain, rendering them seemingly legitimate on search engines. Users who click on these URLs are redirected through a series of domains and traffic distribution systems (TDS) that assess their device type, IP address, VPN utilization, and other factors to identify potential victims.

Infoblox’s investigations have revealed that these manipulated sites are primarily employed for various forms of scams, including tech support fraud, misleading antivirus alerts, counterfeit streaming services, and phishing endeavors. Individuals duped into accepting browser push notifications receive ongoing alerts, even after navigating away from the scam sites, creating a lucrative revenue stream for Hazy Hawk.

In prior analyses, researchers also reported on another threat group known as “Savvy Seahorse,” which employed similar tactics utilizing CNAME records to construct a nontraditional TDS that directed users to fraudulent investment platforms.

The overlooked nature of CNAME records renders them particularly susceptible to covert exploitation, and it is evident that an increasing number of threat actors are attempting to leverage this vulnerability. The success of Hazy Hawk’s operations also hinges on organizations failing to eliminate DNS records after the decommissioning of cloud services, thus allowing attackers to replicate original resource names without any authentication.