Skip to main content

Cloudy with a Chance of Hijacking Forgotten DNS Records Enable Scam Actor

Medium
Published: Wed May 21 2025 (05/21/2025, 16:09:09 UTC)
Source: AlienVault OTX General

Description

Hazy Hawk, a sophisticated threat actor, exploits abandoned cloud resources of high-profile organizations through DNS hijacking. By identifying and taking over dangling CNAME records pointing to unused cloud services, they create malicious URLs on reputable domains. These URLs lead users to scams and malware via traffic distribution systems. Hazy Hawk employs layered defenses, including domain obfuscation and content theft from legitimate websites, to avoid detection. They also leverage push notifications to maintain persistent access to victims. The attacks have impacted government agencies, universities, and major corporations worldwide since at least December 2023. This campaign highlights the importance of proper DNS management and the growing sophistication of cybercriminals in the affiliate marketing space.

AI-Powered Analysis

AILast updated: 06/21/2025, 14:06:38 UTC

Technical Analysis

The threat campaign titled "Cloudy with a Chance of Hijacking Forgotten DNS Records Enable Scam Actor" involves a sophisticated adversary known as Hazy Hawk exploiting abandoned cloud resources via DNS hijacking. Specifically, the attacker identifies dangling CNAME DNS records that point to unused or decommissioned cloud services owned by high-profile organizations. By taking control of these orphaned DNS entries, Hazy Hawk can create malicious URLs under legitimate, reputable domains. These URLs are then used to redirect unsuspecting users to scam sites or malware distribution platforms through traffic distribution systems (TDS). The actor employs multiple evasion techniques including domain obfuscation and content theft from legitimate websites to blend malicious content seamlessly, thereby avoiding detection by security tools and users alike. Additionally, Hazy Hawk leverages push notifications to maintain persistent engagement and access to victims, increasing the likelihood of successful exploitation. The campaign has been active since at least December 2023 and has targeted government agencies, universities, and major corporations globally. The attack chain involves exploitation of cloud misconfigurations, DNS hijacking (T1583), exploitation of public-facing applications (T1190), use of traffic distribution systems (T1584), and social engineering tactics such as malicious push notifications (T1608) and user interaction (T1204, T1566). This campaign underscores the critical importance of diligent DNS record management and cloud resource lifecycle governance to prevent attackers from leveraging forgotten infrastructure for malicious purposes.

Potential Impact

For European organizations, the impact of this threat can be significant. By hijacking DNS records linked to legitimate domains, attackers can undermine user trust, damage brand reputation, and facilitate large-scale phishing or malware campaigns. Government agencies and universities, which often maintain extensive cloud infrastructure and public-facing services, are particularly vulnerable to such attacks. The use of reputable domains for malicious URLs can bypass traditional email and web filtering solutions, increasing the risk of credential theft, data compromise, and malware infections. Persistent push notification abuse can lead to ongoing user exploitation and potential lateral movement within networks. The campaign’s ability to blend malicious content with legitimate site elements complicates detection and response efforts. Additionally, the exploitation of cloud resources and DNS misconfigurations may expose sensitive internal systems or data, potentially leading to confidentiality breaches and operational disruptions. Given the strategic importance of European governmental and academic institutions, successful exploitation could also have broader implications for national security and critical infrastructure protection.

Mitigation Recommendations

European organizations should implement targeted measures beyond generic best practices to mitigate this threat effectively: 1) Conduct comprehensive DNS audits to identify and remediate dangling or orphaned CNAME records, ensuring that all DNS entries point to active and authorized cloud resources. 2) Implement automated monitoring tools that detect changes or anomalies in DNS records, especially those pointing to cloud services, to quickly identify potential hijacking attempts. 3) Enforce strict cloud resource lifecycle management policies, including timely decommissioning and cleanup of unused cloud assets to prevent dangling references. 4) Utilize DNS security extensions (DNSSEC) to add cryptographic validation of DNS responses, reducing the risk of DNS hijacking. 5) Deploy web application firewalls (WAF) and advanced threat detection systems capable of identifying domain obfuscation and content spoofing techniques. 6) Educate users about the risks of push notifications from untrusted sources and implement controls to restrict or monitor push notification permissions on corporate devices. 7) Collaborate with cloud service providers to gain visibility into resource usage and to enforce security best practices. 8) Establish incident response playbooks specifically addressing DNS hijacking and cloud resource exploitation scenarios to enable rapid containment and remediation. 9) Regularly review and update affiliate marketing and third-party integrations to ensure they do not inadvertently expose organizations to malicious traffic distribution systems.

Need more detailed analysis?Get Pro

Technical Details

Author
AlienVault
Tlp
white
References
["https://blogs.infoblox.com/threat-intelligence/cloudy-with-a-chance-of-hijacking-forgotten-dns-records-enable-scam-actor"]
Adversary
Hazy Hawk
Pulse Id
682dfaa58970ca31e76fddb5

Indicators of Compromise

Domain

ValueDescriptionCopy
domainacceleratetomb.xyz
domainaccomodateyours.com
domaincccodes.cloud
domainclaytargetsports.com
domainclean-out.xyz
domainferma.co.in
domainimpliednauseous.xyz
domainjameshardie.eu
domainjameshardie.it
domainmsnmarthastewartsweeps.com
domainpass-jeux.gouv.fr
domainviralclipnow.xyz
domainviralnow.xyz
domainwholetale.org
domainleak.eneu.io
domainmovie.rssnews.media

Threat ID: 682e0bf6c4522896dcc435d2

Added to database: 5/21/2025, 5:23:02 PM

Last enriched: 6/21/2025, 2:06:38 PM

Last updated: 8/5/2025, 5:16:57 PM

Views: 26

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

External Links

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats