RandyMay 23
Infoblox Threat Intel

Our latest blog is out! It covers a rising issue that many major organization experiences: Subdomain hijacking through abandoned cloud resources.

This research follows our reporting from earlier in the year about the CDC subdomain hijack. We initially assumed that this was an isolated incident. Well… We were wrong.

We tied some of this activity to a threat actor, dubbed Hazy Hawk, who hijacks high-profile subdomains which they use to conduct large-scale scams and malware distribution.

https://blogs.infoblox.com/threat-intelligence/cloudy-with-a-chance-of-hijacking-forgotten-dns-records-enable-scam-actor/

#dns #threatintel #threatintelligence #cybercrime #cybersecurity #infosec #infoblox #infobloxthreatintel #scam #HazyHawk

May 23 at 8:41pmWeb
Show threadInfoblox Threat IntelMay 23

This kind of hijacking has been published before...and is a real challenge for large organizations with complex cloud environments.

The interesting thing here is that we can see a Russian-next cybercriminal actor hijacking these domains at scale.

This kind of hijack is somewhat tricky and we're certain that the actor, that we're tracking as Hazy Hawk, has access to commercial passive DNS collections.

Show threadInfoblox Threat IntelMay 23
CNAME records are a way for you to tell a resolver that, if someone wants to access something[.]on-your-domain[.]com, they can find it somewhere[.]on-another-domain[.]com. These records are commonly used to set up content delivery networks (CDNs); which is why large organisations are particularly at vulnerable to this kind of attacks! They are the ones who actually need to use CDNs.
Show threadInfoblox Threat IntelMay 23

Having a dangling CNAME means that the domain you are redirecting to no longer exists, so a malicious actor could re-create it, and then take control of your domain.
Doing this is Hazy Hawk's specialty! We have seen them usurp resources on these services, and possibly others:
Akamai
Amazon EC2, S3 and Elastic Beanstalk
Azure (various cloud services)
Bunny CDN
Cloudflare CDN
GitHub
Netlify

Another thing Hazy Hawk is particularly good at is hiding the domains they have stolen. Domain names are valuable, especially when they have a very good reputation! So they make sure that victims won't know they've loaded data from these domains. Obviously, they use well know tactics like Open Relays to evade SPAM email detection. But our blog also highlight a little trick they use to hide their S3 hostnames.