Sub-domain hijacking through abandoned cloud resources, fueled by DNS amplification attack, becoming a significant problem for large enterprises, with Hazy Hawk group linked to a rise in malware distribution campaigns.
The development of these attacks highlights the critical need to manage DNS records and cloud resources to prevent attacks as well as other broader DNS attack methods.
What Is Hazy Hawk?
Hazy Hawk is a sophisticated threat actor that exploits systems of outdated cloud services like Amazon S3 buckets and Microsoft Azure endpoints. By hijacking these forgotten resources, Hazy Hawk succeeds in switching traffic to malicious URLs, which persuade users into scams.
Hazy Hawk is also infamous for launching DNS DDoS attack with a flood of traffic of malicious form. The challenge in finding these exposed DNS records is even more than for traditional unregistered domains, especially after cloud adoption increased.
The detection of these types of attacks, unlike any other DNS amplification attack, are usually difficult and can result in massive online service disruption. Hazy Hawk’s reach extends to prestigious institutions, like US Center for Disease Control (CDC), government agencies, universities, and multinational corporations. Accordingly, Infoblox, a DNS threat intelligence firm, first spotted the group’s activity in December 2024 and has been tracking its impact since then.
“While operators like Hazy Hawk are responsible for the initial lure, the user who clicks is led into a labyrinth of sketchy and outright malicious AdTech. The fact that Hazy Hawk puts considerable effort into locating vulnerable domains and then using them for scam operations shows that these advertising affiliate programs are successful enough to pay well,” Infoblox said.
Hazy Hawk uses advanced tactics, acquiring subdomains of legitimate organizations by exploiting DNS misconfigurations in the cloud. The group passively monitors exposed resources using DNS services, using compromised domains to increase scams and perform, unlike a DNS amplification attack.
These attacks, that hit millions globally, establish a multi-billion-dollar fraud economy, primarily targeting the vulnerable population of the elderly, to prevent DNS amplification attack, domain owners need to run regular audits and remove unneeded cloud resources.
Final Thoughts
The increased occurrence of advanced attacks by Hazy Hawk presents serious questions regarding the security and trust models of our global digital infrastructure. Such attacks expose the structural vulnerabilities of a system built on mutual trust, showing weaknesses in both the decentralized and centralized aspects of our security systems.
Decentralization of authority over DNS records and cloud assets extends the responsibility of security over many organizations, and control and coordination become difficult. On the other hand, the utilization of centralized systems, such as DNS registries and cloud services providers, creates failure that attackers can target.
These threats underscore the need for more robust, proactive, not similar to DNS amplification attack prevention procedures, from individual organizations and from the digital infrastructure at large. Therefore, people must re-think the way digital systems are built, run, and trusted so that the burden of security is shared but not weakened to the point of uselessness.
Inside Telecom provides you with an extensive list of content covering all aspects of the tech industry. Keep an eye on our Cybersecurity sections to stay informed and up-to-date with our daily articles.