A cybercriminal group known as Hazy Hawk is hijacking unused cloud DNS records to redirect users to harmful scams and malware.

Hazy Hawk – a new name in the world of cybercrime – is a sophisticated threat actor exploiting misconfigured Domain Name System (DNS) records left behind in cloud services like Amazon S3 and Microsoft Azure. These DNS entries are now abandoned by the original owners, but they remain active and capable of redirecting users from trusted subdomains to malicious websites. For Hazy Hawk, this has presented an attractive opportunity to start generating headlines and causing digital damage.

Ophtek is well aware of the importance of online activity in modern business, so we’re going to place this attack under our microscope and share some insights to keep you safe.

Exploiting Abandoned DNS Records

When organizations discontinue cloud services but fail to remove the associated DNS records, these online records become vulnerable. Hazy Hawk starts their attack by scanning for these abandoned DNS entries, particularly CNAME records which direct traffic towards decommissioned cloud resources. Once these DNS entries are identified, Hazy Hawk registers a new site with the same name, effectively hijacking the subdomain.

Once they have control of this new subdomain, Hazy Hawk begins uploading malicious content to these subdomains. One of the main problems facing innocent browsers is that these malicious sites still appear legitimate due to their association with reputable organizations. Victims are lured to these sites through various deceptive means, with fake advertisements and push notifications proving popular methods of pushing their malicious payloads.

Notably, Hazy Hawk has targeted subdomains of high-profile entities such as the U.S. Centers for Disease Control and Prevention (CDC), Deloitte, and the University of California, Berkeley. These subdomains not only receive high digital footfalls, but they’re also highly trusted. Hazy Hawk employs layered defenses to protect their operations, including hijacking reputable domains, using deceptively similar URLs, and redirecting traffic through multiple domains to cover their tracks.

At the heart of the attack, there appears to be a financial motive, with major financial losses already reported. The elderly, in particular, seem to be frequently targeted, with many online users reporting significant losses once caught out by the scam.

How Can You Protect Your Organization?

 

To defend your business against DNS hijacking and to protect your employees from falling victim to Hazy Hawk, make sure you implement these best security practices:

• Regularly Audit DNS Records: Make a point of scheduling in routine checks on your domain’s DNS settings – especially the CNAME and A records. Any entries which are linked to discontinued cloud services should be immediately removed. Outdated records, such as these, represent an easy target for an accomplished attacker.
• Cloud Resource Management Asset Checks: It’s critical that you keep a detailed inventory of all your cloud-hosted resources and any associated DNS entries. Alongside this, you should create official procedures for correctly closing down any old, unused services to ensure no backdoor entry routes are left exposed to threat actors.
• Educate Your Employees: Awareness, as ever, is key in thwarting attackers such as Hazy Hawk. Therefore, establish regular training courses and refreshers to help train your staff to identify suspicious URLs, pop-ups, and push notifications. Even the most genuine looking link should be treated with caution due to the number of contemporary online threats.

For more ways to secure and optimize your business technology, contact your local IT professionals.