Ethical Hacking News
In a brazen attack, the Hazy Hawk gang has hijacked multiple high-profile domains, including government institutions, universities, Fortune 500 companies, and well-known nonprofit organizations. By exploiting DNS misconfigurations, these threat actors have created a sophisticated redirection system to trick users into allowing malicious browser push notifications. This article delves into the details of this attack and offers insights on how organizations can protect themselves from such threats.
Hazy Hawk threat actor exploits DNS misconfigurations to hijack trusted domains across various industries.The gang scans for domains with CNAME records pointing to abandoned cloud services, which serve as a proxy for the original domain's subdomain.The threat actors register new cloud resources under the same name as the original domain's CNAME record, allowing them to hijack multiple domains at once.The Hazy Hawk gang has compromised high-profile domains, including government institutions, universities, and well-known companies.Threat actors generate hundreds of malicious URLs that appear legitimate due to the parent domain's high trust score.Victims are tricked into allowing browser push notifications, enabling the threat actors to generate significant revenue from their operations.
Hazy Hawk, a notorious threat actor, has been exploiting DNS misconfigurations to hijack trusted domains across various industries. According to Infoblox researchers, the gang's tactics, technique, and procedures (TTPs) involve scanning for domains with CNAME records pointing to abandoned cloud services. These abandoned services serve as a proxy for the original domain's subdomain, which is then hijacked by the threat actors.
The Hazy Hawk gang's modus operandi is predicated on the ease of overlooked DNS records, making them prone to stealthy abuse. In an effort to capitalize on this vulnerability, the threat actors first scan for domains with CNAME records pointing to abandoned cloud endpoints. Once they identify these domains, they register a new cloud resource under the same name as the original domain's CNAME record.
This technique allows the threat actors to hijack multiple domains at once and utilize them to cloak malicious activities, host scam content, or serve as redirection hubs for scam operations. The gang has successfully compromised various high-profile domains, including those belonging to government institutions, universities, Fortune 500 companies, and well-known nonprofit organizations.
For instance, the Centers for Disease Control and Prevention (CDC), Honeywell International, Berkeley University, Michelin Tires UK, and several prominent consulting firms have been targeted by the Hazy Hawk gang. Furthermore, notable domains such as TED Talks, Australian Department of Health, United Nations Children's Fund, New York University, Unilever, California State Government, and others have also fallen victim to this DNS misconfiguration exploit.
Upon gaining control of a compromised subdomain, the threat actors generate hundreds of malicious URLs that appear legitimate due to the parent domain's high trust score. These malicious URLs redirect users through layers of domains and traffic distribution systems (TDS) infrastructure designed to profile victims based on their device type, IP address, VPN use, etc.
This sophisticated redirection system makes it extremely difficult for users to determine where they are being redirected to. The threat actors exploit this to trick victims into allowing browser push notifications that persist even after the user leaves the scam site. This tactic enables the Hazy Hawk gang to generate significant revenue from their malicious operations.
The Infoblox report detailing the Hazy Hawk gang's activities highlights the importance of maintaining DNS records and regularly reviewing cloud services for abandonment. It also underscores the need for organizations to be vigilant in monitoring their online presence and taking proactive measures to prevent such attacks.
In a related development, another threat actor known as Savvy Seahorse was previously reported to have abused CNAME records in an atypical manner. Both Hazy Hawk and Savvy Seahorse exemplify how threat actors are increasingly targeting DNS misconfigurations to gain access to critical online resources.
The rise of these types of attacks highlights the evolving nature of cybersecurity threats, where threat actors continually adapt their tactics to exploit new vulnerabilities and evade detection methods.
In response to these growing concerns, it is crucial for organizations to stay informed about the latest cyber threats and take proactive steps to protect themselves. Regularly reviewing DNS records, maintaining cloud services up-to-date, and staying vigilant in monitoring online presence can significantly reduce the risk of being targeted by such malicious actors.
Related Information:
https://www.ethicalhackingnews.com/articles/Hazy-Hawk-Gang-Exploits-DNS-Misconfigurations-to-Hijack-Trusted-Domains-ehn.shtml
https://www.bleepingcomputer.com/news/security/hazy-hawk-gang-exploits-dns-misconfigs-to-hijack-trusted-domains/
https://www.infoblox.com/threat-intel/threat-actors/savvy-seahorse/
https://cybersecuritynews.com/savvy-seahorse-hackers-dns/
Published: Tue May 20 11:22:55 2025 by llama3.2 3B Q4_K_M
