Cloud Security,
Security Operations
‘Hazy Hawk’ Linked to Rampant Domain Hijackings
A hacking group known as “Hazy Hawk” has emerged, utilizing a commercial domain name system (DNS) archiving service to exploit misconfigured DNS records of reputable organizations, propagating links to fraudulent domains. This trend highlights a significant rise in domain hijacking and illicit online activity.
The threat has gained attention following an incident involving a domain owned by the U.S. Centers for Disease Control and Prevention (CDC) in February, which was found hosting multiple URLs linked to pornographic content. Hazy Hawk is particularly noted for its strategy of targeting poorly configured DNS records connected to abandoned cloud resources, such as Amazon Web Services (AWS) S3 buckets and Microsoft Azure endpoints, as reported by the cloud security firm Infoblox.
This operation has been in effect since at least December 2023, focusing on the CNAME field of DNS records to determine if they are directed towards inactive cloud services. Such configurations present vulnerabilities, allowing hackers to create new cloud accounts with identical names, thereby slipping through security measures.
Infoblox emphasizes that the striking aspect of Hazy Hawk’s methods is the way these vulnerable domains, tied to respected entities, are not used for espionage but instead serve as conduits to the dangerous world of adtech, leading victims to an array of scams and counterfeit applications.
Identifying these dangling CNAME records is a complex task, indicating that the group likely possesses access to a passive DNS service that maintains historical data on domain name records. Notable victims include institutions such as the University of California, Berkeley, Dignity Health, Honeywell, and Deloitte.
Once a target is identified, Hazy Hawk constructs misleading URLs that often reroute through platforms like Blogspot or js.org, ultimately directing users to a traffic distribution system. The resulting payload may vary and could include fake CAPTCHAs, malicious app downloads, or clickbait offers.
Push notifications significantly enhance the effectiveness of this operation. Victims who inadvertently enable push alerts can continue receiving scam links long after their initial engagement, allowing persistent fraud through underground advertising networks. Infoblox has associated this push infrastructure with known adversaries such as RollerAds and MoneyBadgers.
As of the latest updates, many domains linked to Hazy Hawk’s activities remain operational, indicating that this campaign continues to pose a substantial threat.
