Hazy Hawk is a sophisticated threat actor that hijacks abandoned cloud resources belonging to high-profile organizations by exploiting DNS misconfigurations, primarily dangling CNAME records. Their hijacked domains are used to host malicious URLs that redirect users to scams and malware through complex traffic distribution systems. #HazyHawk #DNSHijacking #CloudResourceHijacking #CDC #jsorg
Keypoints
- Hazy Hawk hijacks subdomains of reputable organizations such as CDC, universities, government entities, and large corporations by exploiting dangling DNS CNAME records linked to abandoned cloud resources.
- The actor uses hijacked domains to distribute thousands of malicious URLs that lead victims to scams, malware, and fake content, often cloaked behind traffic distribution systems (TDSs) and URL obfuscation.
- The hijacking requires technical sophistication, including access to commercial passive DNS services to identify complex DNS misconfigurations not visible through normal probing.
- Hazy Hawk disguises its operations by using legitimate website content clones or mimicking corporate websites, redirecting through multiple domains, including legitimate services like js[.]org.
- The threat actor incorporates browser push notifications to maintain persistent scams, often targeting vulnerable populations such as the elderly who suffer significant financial losses from these attacks.
- They exploit various cloud providers and services including Azure, Amazon S3, Akamai, Cloudflare, GitHub, and others to conduct their hijacks.
- Prevention involves diligent DNS management, removing obsolete DNS records, using protective DNS solutions, and educating users to deny push notification requests from unknown websites.
MITRE Techniques
- [T1090] Proxy Execution – Hazy Hawk uses redirection through multiple domains including legitimate services to obfuscate traffic and evade detection (“URLs typically redirect visitors through a second set of domains before entering a TDS”).
- [T1566] Phishing – The actor distributes URLs that lure victims with fake content like pornography and pirated videos to scam landing pages (“Hazy Hawk lures their victims with the promise of an enticing video… leading to scam content”).
- [T1584] Compromise Infrastructure – Hazy Hawk hijacks cloud resources by exploiting dangling DNS CNAME records pointing to abandoned cloud services (“Hijacking was as easy as creating an Azure account and a site with the same name”).
- [T1595] Active Scanning – The actor likely uses extensive passive DNS data and manual validation to identify vulnerable cloud resources and DNS misconfigurations (“requires extensive passive DNS access and ingenuity”).
- [T1204] User Execution – Victims are tricked into accepting browser push notifications that lead to persistent malicious ads and scams (“push notifications often trick victims… providing persistence mechanism”).
Indicators of Compromise
- [Domains] Hijacked reputable domains – cdc[.]gov, berkeley[.]edu, honeywell[.]com, alabama[.]gov, deloitte[.]com, ey[.]com and many more listed in Table 1.
- [Subdomains] Hijacked subdomains on legitimate domains exploited for malicious hosting – ahbazuretestapp[.]cdc[.]gov, agri-offers[.]michelin[.]co[.]uk, share[.]js[.]org, chesta-korci-bro[.]blogspot[.]com.
- [Malicious landing domains] Scam and fraud sites – clean-out[.]xyz, turbo-vpn-app[.]com, impliednauseous[.]xyz, viralclipnow[.]xyz, accelerate-tomb[.]xyz.
- [Traffic Distribution Systems domains] Domains used for routing traffic – Dankdigs[.]com, Hotnewrumor[.]com, Encryptalert[.]com, ferma[.]co[.]in.
- [Push notification request domains] Domains requesting browser push permissions – Ferigs[.]xyz, Apperetive[.]xyz, Edygik[.]org.
Views: 32