A menace actor tracked as ‘Hazy Hawk’ is hijacking forgotten DNS CNAME information pointing to deserted cloud companies, taking up trusted subdomains of governments, universities, and Fortune 500 corporations to distribute scams, pretend apps, and malicious advertisements.
In response to Infoblox researchers, Hazy Hawk first scans for domains with CNAME information pointing to deserted cloud endpoints, which they decide by way of passive DNS information validation.
Subsequent, they register a brand new cloud useful resource with the identical identify because the one within the deserted CNAME, inflicting the unique area’s subdomain to resolve to the menace actor’s new cloud-hosted web site.
Utilizing this system, the menace actors hijacked a number of domains to cloak malicious actions, host rip-off content material, or use them as redirection hubs for rip-off operations.
Some notable examples of the hijacked domains embody:
- cdc.gov – U.S. Facilities for Illness Management and Prevention
- honeywell.com – Multinational conglomerate
- berkeley.edu – College of California, Berkeley
- michelin.co.uk – Michelin Tires UK
- ey.com, pwc.com, deloitte.com – World “Large 4” consulting companies
- ted.com – Well-known nonprofit media group (TED Talks)
- well being.gov.au – Australian Division of Well being
- unicef.org – United Nations Kids’s Fund
- nyu.edu – New York College
- unilever.com – World Client Items Firm
- ca.gov – California State Authorities
The whole listing of compromised domains could be discovered within the Infoblox report.
As soon as the menace actor features management of a subdomain, they generate lots of of malicious URLs beneath it, which seem professional in search engines like google and yahoo as a result of guardian area’s excessive belief rating.
Victims clicking on the URLs are redirected by means of layers of domains and TDS infrastructure that profile them based mostly on their gadget sort, IP deal with, VPN use, and so on., to qualify victims.
Supply: Infoblox
Infoblox’s report says the websites are used for tech assist scams, bogus antivirus alerts, pretend streaming/porn websites, and phishing pages.
Customers tricked into permitting browser push notifications get persistent alerts even after they go away the rip-off websites, which may generate vital income for Hazy Hawk.
Supply: Infoblox
The identical researchers reported beforehand about one other menace actor, ‘Savvy Seahorse,’ who additionally abused CNAME information to construct an atypical TDS that redirected customers to pretend funding platforms.
It is simple to miss CNAME information, so they’re vulnerable to stealthy abuse, and it seems that an rising variety of menace actors notice this and try to take benefit.
Within the case of Hazy Hawk, the operation’s success additionally depends on organizations failing to delete DNS information after cloud companies are decommissioned, which allows attackers to duplicate the unique useful resource identify with out authentication.
Primarily based on an evaluation of 14M malicious actions, uncover the highest 10 MITRE ATT&CK strategies behind 93% of assaults and learn how to defend towards them.
