SecurityBrief Australia - Technology news for CISOs & cybersecurity decision-makers
Australia
Guides
#
cloud security
#
cybersecurity
#
endpoint protection
#
firewalls
#
ransomware
Search
Story image
#
Cloud Security
#
Scams
#
Infoblox

Hazy Hawk exploits cloud DNS to hijack subdomains for scams

Today
Author image
By Sean Mitchell, Publisher

Security researchers have attributed a wave of subdomain hijacking attacks to a threat actor known as Hazy Hawk, which has targeted major organisations globally through abandoned cloud resources.

Infoblox Threat Intel has linked Hazy Hawk to a series of incidents in which the actor hijacks dormant DNS records associated with discontinued cloud services, including Amazon S3 buckets and Microsoft Azure endpoints. These hijacked domains have then been used to distribute scams and malware at scale.

Researchers point out that subdomain hijacking resulting from neglected or forgotten cloud infrastructure has become increasingly commonplace, affecting a range of large organisations.

"Subdomain hijacking through abandoned cloud resources is an issue that probably every major organisation has experienced, and these attacks are on the rise," stated Infoblox Threat Intelligence.

The methods employed by Hazy Hawk differ from those traditionally seen in domain hijacking, as the actor specifically targets DNS misconfigurations in the cloud, requiring access to commercial passive DNS services to identify vulnerable assets.

Infoblox noted, "Hazy Hawk is a sophisticated threat actor that hijacks forgotten DNS records from discontinued cloud services such as Amazon S3 buckets and Azure endpoints. By taking control of these abandoned resources, Hazy Hawk is able to host malicious URLs that lead unsuspecting users to scams and malware."

The scale of the threat has been exacerbated by the widespread adoption of cloud infrastructure, which has led to more abandoned "fire and forget" cloud resources. Larger organisations, especially those without a comprehensive digital asset management solution, are particularly at risk.

Infoblox added, "Identifying vulnerable DNS records in the cloud is significantly more challenging than identifying regular unregistered domains. As cloud usage has grown, the number of abandoned 'fire and forget' resources has skyrocketed. Especially for those companies that do not use a comprehensive visibility and management solution for managing all their assets across their digital real estate."

Since December 2024, Hazy Hawk has been linked to the hijacking of subdomains belonging to reputable organisations, including the US Center for Disease Control, various government agencies, universities, and multinational companies. These compromised domains are used as conduits for a range of scams, notably fake advertisements, malicious push notifications, and malware distribution.

Infoblox outlined the key characteristics of Hazy Hawk's operations: "Unlike traditional domain hijackers, Hazy Hawk targets DNS misconfigurations in the cloud and must have access to commercial passive DNS services to do so."

The impact of these attacks is extensive. The reach of hijacked domains has facilitated large-scale fraud, particularly affecting vulnerable groups such as the elderly, and has contributed to financial losses within the multi-billion-dollar fraud market.

According to Infoblox, "The hijacked domains are used to distribute a variety of scams, including fake advertisements and malicious push notifications, affecting millions of users globally. The scams facilitated by Hazy Hawk contribute to the multi-billion-dollar fraud market, with significant financial losses reported, particularly among the elderly population."

Hazy Hawk employs a series of obfuscation techniques to protect its malicious infrastructure. These include hijacking highly trusted domains, obfuscating URLs, and routing destructive traffic through a network of multiple domains to reduce the traceability of its operations.

Infoblox remarked, "Hazy Hawk uses layered defences to protect its operations, including hijacking reputable domains, obfuscating URLs, and redirecting traffic through multiple domains."

To address the risks posed by actors such as Hazy Hawk, security professionals advise organisations to adopt stringent DNS management protocols. This entails frequent audits of all DNS records, swift termination of DNS entries linked to obsolete cloud services, and improved asset visibility across digital estates.

Organisations are also encouraged to educate users about the dangers of accepting browser push notification requests from unfamiliar websites, which are often leveraged in such scams, in order to reduce the risk to employees and customers alike.

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X
Related stories
AI tools expose sensitive data at 99% of organisations
Organisations prioritise AI security as GenAI adoption accelerates
Teradata achieves IRAP assessment for VantageCloud Lake suite
Cloud AI drives business efficiency, with adoption set to surge
Proofpoint to acquire Hornetsecurity to boost M365 security
Top stories
Australia’s renewable energy shift fuels foreign cyber concerns
ANZ organisations focus on IP & data as cyber threats surge
DroneShield secures AUD $1 million police contract for counter-drone gear
F5 & Red Hat expand AI partnership for secure cloud-native apps
Cloudera unveils AI-powered data visualisation tools for ANZ