Attackers continue to exploit insecure DNS configurations to hijack domain names and redirect users to malicious sites for scams, malware distribution, and other nefarious activities. Recently, a threat actor tracked by Infoblox as "Hazy Hawk" has been leveraging a different version of the attack vector to seize control of abandoned cloud resources, such as S3 buckets and Azure endpoints, linked to prominent organizations. Infoblox observed the threat actor using the hijacked domains to host a large number of URLs that redirected users through traffic distribution systems (TDSes) before directing them to malware-infected sites and scam pages.
Hazy Hawk's victims to date include the US Centers for Disease Control and Prevention (CDC), federal and regional government entities worldwide, universities (including the University of California, Berkeley), healthcare companies, and large corporations such as Deloitte, PricewaterhouseCoopers, and Ernst & Young. "Perhaps the most remarkable thing about Hazy Hawk is that these hard-to-discover, vulnerable domains with ties to esteemed organizations are not being used for espionage or 'highbrow cybercrime,' Infoblox researchers Jacques Portal and Renée Burton said in a blog post today. "Instead, they feed into the underworld of adtech, taking victims to a wide range of scams and fake applications, and using browser notifications to trigger processes that will have a lingering impact."
Hazy Hawk's preferred tactic is to leverage dangling CNAME (Canonical Name) records, a type of DNS misconfiguration that can be dangerous. In essence, a dangling CNAME record is a DNS entry that points to a nonexistent or abandoned external domain. Attackers who find such records can claim the referenced domain and redirect traffic to malicious sites. It is somewhat akin to an individual leaving a forwarding address to a location at which they are no longer present, so an attacker who moves in can receive anything that is forwarded to that address.
Specifically, Hazy Hawk actors are exploiting dangling CNAME records that point to cloud-based resources, such as an app on Azure or AWS, which the original organization no longer owns. Such records can result when an organization sets up a CNAME record that might point a subdomain to a cloud service (like a domain for a test app) but then later forgets to remove the CNAME record when the testing is done.
Unlike dangling records that can be found via scans, vulnerable CNAME records are much harder to find and often require a lot of manual work and an understanding of a cloud provider's DNS patterns and processes for handling dropped or abandoned resources, according to Infoblox. Often, it requires an attacker to have access to commercial passive DNS services that collect and analyze historical DNS query data.
Finding these records is considerably harder than finding other types of dangling DNS records that point a domain to an IP address, Burton tells Dark Reading. What Hazy Hawk is doing is finding and hijacking abandoned cloud service endpoints systematically and persistently to deliver malware and scams, she explains: "Previous discussion of this kind of domain hijacking has been limited to just theory or single examples. We are showing it is done consistently and by at least one specific actor."
Infoblox discovered Hazy Hawk's campaigns when investigating a tip about the CDC's domain suddenly hosting dozens of URLs that pointed to pornographic videos and to advertisements for a British soccer game. Many of the links surfaced high up on search engine results because they were hosted on a trusted CDC subdomain. The URLs were heavily cloaked and often led to a TDS, which can be abused to route Web traffic to malicious sites, making attribution difficult.
A victim might have searched for a Liverpool Reds soccer game within a search engine and received spammy results that promised them a free way to view the game, Burton says. However, when the victim clicks on the link, they are directed to a fake page that typically requests them to prove they are human, via a fake CAPTCHA. "After that, they will be routed to a scam depending on several factors, including their device and location," she says, "These scams paths could include a malware download, a fake app, an antivirus, or tech support scam, dating or porn scams, crypto scams, and more."
Infoblox's investigation revealed that the CDC was just one of many reputed organizations worldwide whose domains Hazy Hawk had managed to hijack and misuse since December 2023.
Burton states that the threat actors behind Hazy Hawk are likely based in Eastern Europe and are affiliated with well-known Russian cybercriminal groups. "To thwart threat actors like Hazy Hawk, organizations should implement robust DNS management practices, including regular audits of DNS records and prompt removal of records associated with discontinued cloud services," she says. "Additionally, users should be educated to deny push notification requests from unfamiliar websites to avoid falling victim to scams."
This article is shared at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. We provide indicators of compromise information via a notification service (RedXray) or an analysis service (CTAC). For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225 or feedback@redskyalliance.com
- Reporting: https://www.redskyalliance.org/
- Website: https://www.redskyalliance.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5207428251321676122
Comments