'Hazy Hawk' affecting major domains – Do you know the risks?

A sophisticated threat actor, dubbed Hazy Hawk, has been identified exploiting a critical vulnerability: the hijacking of abandoned cloud resources from prominent organisations. This involves leveraging misconfigurations in Domain Name System (DNS) records, particularly targeting Amazon S3 buckets and Microsoft Azure endpoints. The modus operandi of Hazy Hawk is to then repurpose these compromised, high-credibility domains to host malicious URLs, funneling unsuspecting users towards various scams and malware through traffic distribution systems (TDSes). Beyond the well-known cloud providers, Hazy Hawk's reach extends to resources hosted on Akamai, Bunny CDN, Cloudflare CDN, GitHub, and Netlify, showcasing a wide-ranging and opportunistic attack methodology.

Infoblox, a leading DNS threat intelligence firm, first shed light on Hazy Hawk's activities after detecting their control over several sub-domains linked to the U.S. Center for Disease Control (CDC) in February 2024. Subsequent investigations revealed a far broader scope of victimisation. Since at least December 2023, numerous government agencies globally, alongside esteemed universities and major international corporations such as Deloitte, PricewaterhouseCoopers, and Ernst & Young, have fallen prey to this actor. This widespread impact highlights a significant oversight in resource management across diverse sectors, where abandoned digital assets become fertile ground for malicious exploitation.

What truly distinguishes Hazy Hawk from other cyber threats is their unconventional target: instead of pursuing espionage or traditional "highbrow" cybercrime, they leverage these hard-to-discover, vulnerable domains for the shadowy world of adtech. These hijacked domains are used to direct victims into a labyrinth of scams and fake applications, often employing persistent browser notifications to trigger processes with lingering malicious impacts. This approach allows Hazy Hawk to capitalise on the inherent trust associated with legitimate organisations, making their malicious content appear more credible and significantly boosting its visibility in search engine results. This deceptive strategy poses a substantial challenge for traditional security defenses.

The technical underpinning of Hazy Hawk’s operations lies in their mastery of seizing control of abandoned domains characterised by dangling DNS CNAME records. This technique, previously exposed by Guardio in early 2024 as a method for spam proliferation and click monetisation, involves simply registering the missing resource to hijack the domain. Hazy Hawk takes this a step further by actively discovering and commandeering abandoned cloud resources. In some instances, the threat actor employs sophisticated URL redirection techniques to obscure the actual hijacked cloud resource, making attribution and mitigation even more complex. This innovative approach demonstrates a deep understanding of cloud infrastructure and DNS intricacies.

The attack chains employed by Hazy Hawk are often multi-faceted, beginning with the cloning of legitimate site content to host on the hijacked domains. Victims are then lured to these sites, frequently by content related to pornography or pirated material, acting as initial bait. Once engaged, site visitors are funneled through a TDS, which acts as a sophisticated traffic director, determining their next destination based on various factors. Hazy Hawk is one of dozens of threat actors operating within the advertising affiliate world, where actors are incentivized to drive users towards tailored malicious content. A particularly insidious tactic involves prompting users to allow push notifications, which then flood a victim's device with an endless torrent of malicious content, each notification leading to different scams, scareware, or fake surveys, and invariably requesting further notification permissions, perpetuating the cycle.

To fortify defenses against the pervasive activities of Hazy Hawk, organisations are urged to implement rigorous digital asset management protocols. This critically includes the immediate removal of DNS CNAME records as soon as a corresponding cloud resource is decommissioned. For end-users, vigilance is paramount; it is strongly advised to deny all notification requests from unfamiliar or suspicious websites. The persistent efforts by operators like Hazy Hawk to locate and exploit vulnerable domains for scam operations underscore the significant financial incentives within these advertising affiliate programs, making robust preventative measures and user education more crucial than ever in safeguarding against this evolving threat landscape.