Full Report
A threat actor named 'Hazy Hawk' has been using DNS CNAME hijacking to hijack abandoned cloud endpoints of domains belonging to trusted organizations and incorporate them in large-scale scam delivery and traffic distribution systems (TDS). [...]
Analysis Summary
# Threat Actor: Hazy Hawk
## Attribution & Identity
The threat actor is identified as the **Hazy Hawk gang**. This summary is based on reporting from Infoblox regarding their domain hijacking activities. Previously, researchers reported on a similar actor named '[Savvy Seahorse](https://www.bleepingcomputer.com/news/security/savvy-seahorse-gang-uses-dns-cname-records-to-power-investor-scams/),' suggesting a possible evolution or related activity focused on abusing DNS records.
## Activity Summary
Hazy Hawk focuses on exploiting **DNS misconfigurations**, specifically leveraging the failure of organizations to delete DNS records after decommissioning cloud services. This allows the actor to replicate original resource names without requiring authentication. They hijack trusted, high-reputation domains/subdomains to generate hundreds of malicious URLs that appear legitimate in search results. These compromised sites are then reportedly used for tech support scams, bogus antivirus alerts, fake streaming/porn sites, and phishing pages. A key monetization tactic involves tricking users into enabling persistent **browser push notifications**.
## Tactics, Techniques & Procedures
- **DNS Hijacking/Abuse:** Exploiting misconfigured DNS records (often leftover CNAME records) to gain control of subdomains of trusted organizations.
- **Brand Trust Exploitation:** Using the high trust score of the hijacked parent domain to make malicious URLs appear legitimate in search engines.
- **Victim Profiling:** Redirecting users through an infrastructure tailored to profile them based on device type, IP address, and VPN usage to qualify them for specific scams.
- **Persistent Notification Delivery:** Gaining user consent for browser push notifications to deliver persistent alerts even after the user leaves the initial scam site.
- **TDS Infrastructure:** Utilizing layers of domains and Traffic Direction System (TDS) infrastructure for profiling and redirection.
* **Note:** Specific MITRE ATT&CK IDs are not provided in the source text.
## Targeting
- **Sectors:** The successful abuse involves high-profile organizations across various sectors, including consulting, government, education, and consumer goods.
- **Geography:** Global.
- **Victims (Examples of Hijacked Domains):**
* michel.edu (UC Berkeley)
* michelin.co.uk (Michelin Tires UK)
* ey.com, pwc.com, deloitte.com (Global "Big Four" consulting firms)
* ted.com (TED Talks)
* health.gov.au (Australian Department of Health)
* unicef.org (United Nations Children's Fund)
* nyu.edu (New York University)
* unilever.com (Global Consumer Goods Company)
* ca.gov (California State Government)
## Tools & Infrastructure
- **Malware Families Used:** Not explicitly named, but the operation results in delivery of:
* Tech support scam content
* Bogus antivirus alerts
* Fake streaming/porn sites
* Phishing pages
- **Infrastructure:** Layers of custom **TDS infrastructure** used for victim profiling and redirection.
## Implications
The Hazy Hawk operation highlights a low-barrier, high-impact attack vector leveraging poor cyber hygiene (failing to clean up DNS records after service changes). By hijacking the reputation of major global brands, the actor can bypass initial spam/security filters and effectively monetize low-friction scams like push notification spam, which generates recurring revenue. The complexity involved (profiling victims via TDS) suggests a degree of sophistication focused purely on financial fraud rather than espionage.
## Mitigations
- Implement rigorous **DNS record lifecycle management**, ensuring that all records associated with decommissioned cloud services or legacy resources are promptly and completely deleted.
- Regularly audit **CNAME records**, as these are prone to stealthy abuse, as noted by the comparative mention of 'Savvy Seahorse.'
- Educate users about the risks associated with enabling **browser push notifications**, especially on untrusted or unexpected websites, as this enables persistent monetization for attackers.