IT Brief US - Technology news for CIOs & IT decision-makers
United States
Guides
#
artificial intelligence
#
digital transformation
#
disaster recovery
#
hybrid & remote work
#
internet of things
Search
Story image
#
Cloud Security
#
Cybersecurity
#
Scams

Hazy Hawk exploits abandoned cloud DNS for global scams surge

Yesterday
Author image
By Shannon Williams, Journalist

Cybersecurity firm Infoblox has identified a new threat actor known as Hazy Hawk, which is hijacking DNS records from cloud resources such as Amazon S3 buckets and Azure endpoints.

According to Infoblox's Threat Intelligence team, subdomain hijacking through abandoned cloud resources is an increasing challenge for major organisations. Hazy Hawk has been observed taking control of DNS records linked to discontinued or forgotten cloud services, subsequently using these hijacked domains to conduct scams and distribute malware at scale.

Infoblox stated, "Subdomain hijacking through abandoned cloud resources is an issue that probably every major organization has experienced, and these attacks are on the rise. Infoblox Threat Intel has tracked some of this activity to a threat actor, dubbed Hazy Hawk, that uses hijacked domains to conduct large-scale scams and malware distribution. This discovery highlights the critical need for organizations to manage their DNS records and cloud resources vigilantly."

Hazy Hawk is described by Infoblox as a sophisticated threat actor that leverages forgotten DNS records associated with services no longer in use. By exploiting these abandoned entries, the group is able to host malicious URLs and direct users to fraudulent adverts and malware. The company explained, "Hazy Hawk is a sophisticated threat actor that hijacks forgotten DNS records from discontinued cloud services such as Amazon S3 buckets and Azure endpoints. By taking control of these abandoned resources, Hazy Hawk is able to host malicious URLs that lead unsuspecting users to scams and malware."

Infoblox highlighted that locating vulnerable DNS records within cloud environments can be more complex than identifying unregistered traditional domains. The expansion of cloud usage has led to a proliferation of unmaintained or abandoned resources. According to Infoblox, "Identifying vulnerable DNS records in the cloud is significantly more challenging than identifying regular unregistered domains. As cloud usage has grown, the number of abandoned 'fire and forget' resources has skyrocketed. Especially for those companies that do not use a comprehensive visibility and management solution for managing all their assets across their digital real estate."

Since December 2024, Hazy Hawk has hijacked subdomains belonging to a range of high-profile entities, including the U.S. Center for Disease Control (CDC), several government agencies, universities, and international corporations.

The tactics employed by Hazy Hawk differ from those of traditional domain hijackers. The threat actor targets DNS misconfigurations specifically within cloud environments and reportedly utilises access to commercial passive DNS services for their activities. Infoblox's intelligence details, "Unlike traditional domain hijackers, Hazy Hawk targets DNS misconfigurations in the cloud and must have access to commercial passive DNS services to do so."

The breadth of the hijacking campaign is considerable, with seized domains being used to run a variety of fraudulent schemes. This includes disseminating fake advertisements and push notifications designed to trick users, with global reach impacting millions. Infoblox notes, "The hijacked domains are used to distribute a variety of scams, including fake advertisements and malicious push notifications, affecting millions of users globally."

These scams are said to contribute to significant economic losses, especially in the United States where elderly populations are frequently targeted. Infoblox reported, "The scams facilitated by Hazy Hawk contribute to the multi-billion-dollar fraud market, with significant financial losses reported, particularly among the elderly population in the United States."

Hazy Hawk further protects its operations using several obfuscation methods. These include hijacking respected domains, complicating URL structures and using multiple redirections. The company stated, "Hazy Hawk uses layered defenses to protect their operations, including hijacking reputable domains, obfuscating URLs, and redirecting traffic through multiple domains."

To mitigate such threats, Infoblox recommends organisations adopt strict DNS management strategies, such as regular audits of DNS records and prompt removal of records linked to discontinued cloud services. The company also stresses the importance of user education, particularly instructing staff to decline push notification requests from unfamiliar websites to avoid potential scams.

Infoblox's findings underscore the persistence of DNS-based threats and the necessity for ongoing vigilance as cloud environments continue to expand.

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X
Related stories
AI-driven threats prompt IT leaders to rethink hybrid cloud security
Google DeepMind reveals new strategy to defend Gemini 2.5 AI
Report finds low ECH use but risks from malicious actors grow
Fintech sector faces mounting third-party security breach risks
IP Fabric unveils upgrade to boost firewall visibility & compliance
Top stories
BeyondTrust recognised as leader in secrets management
Manhattan unveils Agentic AI to transform supply chain tasks
NetApp & NVIDIA join forces to streamline AI data management
Glance unveils AI-powered shopping app for personalised style
Exabeam & Vectra AI partner to boost threat detection speed