Cybersecurity researchers at Infoblox have uncovered a sophisticated DNS hijacking campaign orchestrated by the threat actor group known as Hazy Hawk. The attackers are exploiting vulnerable DNS infrastructure to commandeer subdomains of prestigious organizations through abandoned CNAME records, demonstrating an advanced understanding of DNS mechanics and cloud service dynamics.
Technical Analysis: The CNAME Exploitation Method
The attack methodology leverages a critical vulnerability in DNS infrastructure management: orphaned CNAME records pointing to defunct cloud endpoints. Through passive DNS scanning techniques, Hazy Hawk identifies these “dead” CNAME records and subsequently registers new cloud resources matching the abandoned endpoints. This process effectively hijacks the subdomain’s traffic, exploiting legitimate DNS resolution mechanisms to redirect users to malicious infrastructure.
High-Profile Victims and Impact Assessment
The campaign has successfully compromised subdomains belonging to several prominent organizations, including CDC.gov, UNICEF.org, and the Australian Department of Health (health.gov.au). Notable academic institutions such as UC Berkeley and New York University, along with major corporations including Honeywell, Michelin, and Unilever, have also fallen victim to these attacks.
Malicious Infrastructure and Monetization Strategies
Upon gaining control of these subdomains, Hazy Hawk deploys sophisticated traffic distribution systems (TDS) that profile visitors based on multiple parameters, including device type, geographic location, and VPN usage. This infrastructure serves as a foundation for various fraudulent activities and social engineering attacks.
Primary Attack Vectors
The compromised domains are being weaponized to deliver:
- Fraudulent technical support notifications
- Fake antivirus alerts
- Sophisticated phishing campaigns
- Malicious browser push notification schemes
Mitigation Strategies and Security Recommendations
Organizations must implement robust DNS security measures to protect against these attacks. Key recommendations include:
- Regular DNS record audits with particular attention to CNAME entries
- Implementation of automated DNS monitoring systems
- Prompt removal of deprecated cloud service references
- Deployment of DNS security extensions (DNSSEC)
This attack campaign bears striking similarities to previous operations by the Savvy Seahorse group, indicating a potential evolution in DNS exploitation techniques. Security professionals emphasize that the effectiveness of these attacks stems from their abuse of legitimate DNS functionality, making detection and prevention particularly challenging. Organizations must maintain vigilant oversight of their DNS infrastructure and implement comprehensive security controls to mitigate these emerging threats.
