Latin America. Infoblox Threat Intel, Infoblox's security intelligence unit, has identified a malicious actor, dubbed Hazy Hawk, dedicated to hijacking subdomains from cloud resources abandoned or unused by their owners.
Hazy Hawk uses forgotten DNS files found in cloud services such as Amazon S3 buckets and Azure endpoints to take control of these resources and host harmful URLs. These URLs are used to carry out large-scale cyber fraud and spread malware.
This actor uses domain hijacking techniques, exploiting incorrect DNS configurations in the cloud that require access to passive DNS services. Hijacked domains are used in fraud campaigns that affect millions of users around the world and generate financial losses.
The increase in the use of cloud services by companies has generated an increase in unoccupied resources that are still in operation, leading to this type of attack. Hazy Hawk has carried out hijackings on subdomains of entities in North America, which include government agencies, universities, and multinational corporations.
To combat these threats, Infoblox advises establishing security layers based on DNS services, such as Protective DNS, conducting regular DNS record reviews, and deleting records linked to deactivated cloud services. In addition, it is essential to train users to prevent falling victim to fraud through push alerts from unknown sites.
This case illustrates the relevance of complete and monitored management of cloud resources to prevent domain hijacking and safeguard the security of the company.
