A sophisticated cyber threat actor, identified as Hazy Hawk, has been actively exploiting misconfigured Domain Name System (DNS) records to hijack domains associated with prominent organizations, including the U.S. Centers for Disease Control and Prevention (CDC), Deloitte, PricewaterhouseCoopers, and Ernst & Young. By taking control of these domains, Hazy Hawk redirects unsuspecting users to malicious websites that distribute malware and scams through traffic distribution systems (TDS).
Understanding the Attack Mechanism
Hazy Hawk’s operations center on identifying and exploiting abandoned cloud resources linked to DNS records. When organizations decommission cloud services but fail to update or remove corresponding DNS records, these records become vulnerable. Hazy Hawk registers these abandoned resources, effectively hijacking the associated domains. This technique, known as exploiting dangling DNS CNAME records, allows attackers to assume control over subdomains without direct access to the organization’s infrastructure.
Once in control, Hazy Hawk clones legitimate website content to create convincing replicas. Users visiting these hijacked domains are then funneled through TDS platforms, which assess user characteristics such as location and device type to deliver tailored malicious content. This content ranges from phishing pages and fake surveys to malware-laden downloads.
Notable Targets and Impact
Since at least December 2023, Hazy Hawk has targeted a diverse array of entities, including government agencies, universities, and multinational corporations. The hijacking of domains belonging to reputable organizations enhances the credibility of the malicious sites, increasing the likelihood of user engagement and subsequent compromise.
The implications of such attacks are multifaceted:
– Reputational Damage: Organizations whose domains are hijacked may suffer significant harm to their reputation, as users associate them with malicious activities.
– Financial Losses: Victims redirected to fraudulent sites may fall prey to scams, leading to financial exploitation.
– Data Breaches: Malware distributed through these channels can facilitate unauthorized access to sensitive information.
Technical Insights
Hazy Hawk’s methodology involves several key steps:
1. Identification of Vulnerable DNS Records: The actor scans for DNS records pointing to decommissioned cloud services across platforms like Amazon S3, Microsoft Azure, Akamai, Bunny CDN, Cloudflare CDN, GitHub, and Netlify.
2. Registration of Abandoned Resources: Upon identifying a dangling DNS record, Hazy Hawk registers the corresponding cloud resource, thereby gaining control over the subdomain.
3. Deployment of Malicious Content: The hijacked domain is used to host cloned versions of legitimate websites or other deceptive content designed to lure users.
4. Utilization of Traffic Distribution Systems: Visitors are redirected through TDS platforms that customize the malicious payload based on user attributes, enhancing the effectiveness of the attack.
Preventive Measures
Organizations can mitigate the risk of such attacks by implementing the following strategies:
– Regular DNS Audits: Conduct periodic reviews of DNS records to identify and rectify misconfigurations or references to decommissioned services.
– Prompt Decommissioning Procedures: Ensure that DNS records are promptly updated or removed when associated services are discontinued.
– Enhanced Monitoring: Deploy monitoring tools to detect unauthorized changes to DNS records or unusual traffic patterns indicative of hijacking attempts.
– Employee Training: Educate staff about the importance of DNS management and the potential risks associated with misconfigurations.
Conclusion
The activities of Hazy Hawk underscore the critical importance of diligent DNS management and the need for organizations to proactively address vulnerabilities associated with abandoned cloud resources. By maintaining robust DNS hygiene and implementing comprehensive monitoring, organizations can defend against such sophisticated domain hijacking attempts and protect their digital assets and reputation.
