Infoblox reveals Hazy Hawk, a brand new menace exploiting deserted cloud sources (S3, Azure) and DNS gaps since Dec 2023. Study their techniques and the right way to shield your group and customers.
Cybersecurity researchers at Infoblox Menace Intelligence have launched important findings on a lately recognized menace, dubbed Hazy Hawk, which has been actively hijacking forgotten cloud sources since a minimum of December 2023.
In its report, shared completely with Hackread.com. researchers famous that this superior group is known for its DNS-savvy techniques and exploits gaps in Area Title System (DNS) data to redirect unsuspecting web customers to fraudulent web sites and malware.
This revelation comes because the Federal Commerce Fee (FTC) reviews a major 25% enhance in scam-related losses from 2023, totalling a whopping $12.5 billion.
The Assault
Infoblox first detected Hazy Hawk’s actions in February 2025, when the group efficiently took management of subdomains belonging to the US Facilities for Illness Management (CDC). Cybersecurity journalist Brian Krebs was the primary to discover suspicious exercise on the CDC’s area.
Additional investigation revealed that international authorities businesses, together with alabama.gov and well being.gov.au, main universities like berkeley.edu and ucl.ac.uk, and worldwide corporations together with Deloitte.com and PwC.com, have additionally been focused.
Hazy Hawk’s methodology entails discovering dangling DNS data, that are CNAME data pointing to deserted cloud sources like Amazon S3 buckets, Azure endpoints, Akamai, Cloudflare CDN, and GitHub. They register these sources, acquire management, and use them to host quite a few malicious URLs. Infoblox dubbed the group Hazy Hawk because of their uncommon strategies of finding and hijacking particular cloud sources.
How Victims Are Lured and Defenses Evaded
Hazy Hawk employs numerous techniques to deceive victims, together with pretend browser notifications and fraudulent functions, utilizing URL obfuscation to cover hyperlink locations, and repurposing code from reliable web sites to make their preliminary pages seem reliable. In addition they alter AWS S3 bucket URLs or redirect to the College of Bristol’s web site.
As soon as a consumer clicks on a malicious hyperlink, they’re routed via a number of redirection websites like Blogspot or hyperlink shorteners like TinyURL, Bitly and visitors distribution techniques (TDSs) earlier than reaching viralclipnow.xyz.
These techniques are designed to maximise scammers’ earnings and make it tough for safety specialists to hint assaults by dynamically altering content material, main victims to scams like tech assist fraud or reward card schemes.
The analysis reveals that push notifications are a key element of scams, the place the menace actor can obtain a 70-90 p.c income share from the affiliate who obtained the sufferer’s approval, with providers like RollerAds, enabling repeated sufferer focusing on.
To stop such hijackings, organizations ought to use well-managed DNS, together with eradicating DNS CNAME data when cloud sources are retired. Finish-users can shield themselves via protecting DNS options that block entry to malicious domains, even when menace actors change web site names, and watch out about web site notification requests
