Hazy Hawk uses DNS misconfigurations to hijack targeted domains

The Hazy Hawk threat group allegedly exploits misconfigured DNS CNAME records to hijack subdomains of trusted organisations. These targeted domains include government entities, academic institutions, and Fortune 500 companies.

This activity targets DNS records that lead to inactive cloud services. The compromised subdomains are then utilised to spread scams, counterfeit applications, and harmful advertisements.

Researchers have reported that Hazy Hawk starts by scanning for domains with CNAME records linked to defunct cloud endpoints. The group then identifies these vulnerable records using passive DNS data validation.

They subsequently register new cloud resources with the same names as the abandoned endpoints, successfully redirecting traffic from the original subdomains to their infrastructure.

This strategy has allowed them to take control of numerous domains and repurpose them for malicious activities. The hijacked subdomains disguise scam content, host misleading materials or function as redirection hubs within larger scam initiatives.

 

Hazy Hawk utilises credible domains to deceive targets.

 

These well-known and trusted domains lend credibility to malicious URLs, increasing users’ chances of interacting with the content without suspicion. Once a subdomain is secured, Hazy Hawk creates hundreds of malicious URLs beneath it.

These URLs capitalise on the high trust associated with their parent domains, making them seem legitimate in search engine results.

When victims click on these links, they are redirected through multiple layers of a traffic distribution system (TDS) infrastructure, which profiles them based on device type, IP address, VPN usage, and other characteristics.

According to researchers, attacker-controlled sites are frequently used for scams related to tech support, counterfeit antivirus alerts, misleading streaming or adult content, and phishing pages.

Users who agree to browser push notifications from these sites often receive continuous scam alerts, even after abandoning the malicious pages. This strategy fosters ongoing engagement and can generate significant revenue for the threat actor.

Misusing CNAME records remains discreet yet efficient due to how easily such configurations can be overlooked. As more threat actors recognise this vulnerability, the frequency of these attacks is anticipated to increase.

In this particular activity, the campaign’s effectiveness is mainly attributed to organisations’ neglect to eliminate outdated DNS records when decommissioning cloud services.

This oversight allows attackers to imitate legitimate cloud resources without requiring authentication.