CyberSecurity news

FlagThis - #dns

info@thehackernews.com (The@The Hacker News //

Hazy Hawk Exploits Abandoned Cloud Assets via DNS

A new cybersecurity threat, dubbed Hazy Hawk, has emerged, exploiting misconfigured DNS records to hijack abandoned cloud resources. Since at least December 2023, the threat actor has been using DNS CNAME hijacking to seize control of abandoned cloud endpoints belonging to reputable organizations, including Amazon S3 buckets and Microsoft Azure endpoints. By registering new cloud resources with the same names as the abandoned ones, Hazy Hawk redirects traffic to malicious sites, incorporating these hijacked domains into large-scale scam delivery and traffic distribution systems (TDS). This allows them to distribute scams, fake applications, and malware to unsuspecting users, leveraging the trust associated with the original domains.

Infoblox researchers first detected Hazy Hawk's activities in February 2025, when the group successfully took control of subdomains belonging to the U.S. Centers for Disease Control (CDC). Further investigation revealed that global government agencies, major universities, and international corporations such as Deloitte and PricewaterhouseCoopers have also been targeted. Hazy Hawk scans for domains with CNAME records pointing to abandoned cloud endpoints, determining this through passive DNS data validation. They then register a new cloud resource with the same name, causing the original domain's subdomain to resolve to the attacker's controlled resource.

The attack chains often involve cloning legitimate websites to appear trustworthy, and URL obfuscation techniques are employed to hide malicious destinations. Hazy Hawk uses hijacked domains to host malicious URLs that redirect users to scams and malware. What makes Hazy Hawk's operations particularly concerning is the use of trusted domains to serve malicious content, enabling them to bypass detection and exploit the reputation of high-profile entities. Cybersecurity experts advise organizations to diligently monitor and manage their DNS records, ensuring that CNAME records pointing to abandoned cloud resources are removed to prevent unauthorized domain hijacking.

Share: bluesky twitterx--v2 facebook--v1 threads


References :
  • BleepingComputer: Threat actors have been using DNS CNAME hijacking to hijack abandoned cloud endpoints of domains belonging to trusted organizations and incorporate them in large-scale scam delivery and traffic distribution systems (TDSes).
  • BleepingComputer: Hazy Hawk gang exploits DNS misconfigs to hijack trusted domains
  • The Hacker News: Hazy Hawk Exploits DNS Records to Hijack CDC, Corporate Domains for Malware Delivery
  • hackread.com: Infoblox reveals Hazy Hawk, a new threat exploiting abandoned cloud resources (S3, Azure) and DNS gaps since Dec…
  • The DefendOps Diaries: Explore Hazy Hawk's DNS hijacking tactics and learn how to protect your domains from this emerging cybersecurity threat.
  • bsky.app: A threat actor named 'Hazy Hawk' has been using DNS CNAME hijacking to hijack abandoned cloud endpoints of domains belonging to trusted organizations and incorporate them in large-scale scam delivery and traffic distribution systems (TDS).
  • www.bleepingcomputer.com: Hazy Hawk has been observed hijacking abandoned cloud resources.
  • Virus Bulletin: Researchers Jacques Portal & Renée Burton look into Hazy Hawk, a threat actor that hijacks abandoned cloud resources of high-profile organizations.
  • blogs.infoblox.com: Hazy Hawk is a threat actor that hijacks abandoned cloud resources of high-profile organizations.
  • www.scworld.com: Misconfigured DNS, neglected cloud assets harnessed in Hazy Hawk domain hijacking attacks
  • Infoblox Blog: Cloudy with a Chance of Hijacking Forgotten DNS Records Enable Scam Actor
  • DomainTools: Report on the threat actor's tactics and techniques, including targeting abandoned cloud resources.
  • Security Risk Advisors: Hazy Hawk Actor Hijacks Abandoned Cloud DNS Records of High-Profile Organizations for Scam Distribution
  • cyble.com: Cyble reports on Hazy Hawk campaign hijacks abandoned cloud DNS records from CDC, Berkeley, & 100+ major orgs to distribute scams.
  • BleepingComputer: Hazy Hawk exploits abandoned cloud resources from high-profile organizations to distribute scams and malware through traffic distribution systems (TDSes).
  • cyberscoop.com: Coordinated effort took down seven kinds of malware and targeted initial access brokers.
  • securityonline.info: A significant takedown neutralized ransomware delivery and initial access malware infrastructure.
  • BleepingComputer: International law enforcement took down hundreds of servers and domains.
Classification:
  • HashTags: #DNSsecurity #CloudSecurity #HazyHawk
  • Company: Infoblox
  • Target: Organizations
  • Attacker: Hazy Hawk
  • Product: Amazon S3, Azure
  • Feature: DNS Hijacking
  • Malware: TDS
  • Type: Hack
  • Severity: Major
Bill Mann@CyberInsider //

CISA Warns of Fast Flux DNS Evasion Technique

CISA, along with the NSA, FBI, and international cybersecurity partners, has issued a joint advisory regarding the increasing use of the "fast flux" technique by cybercriminals and nation-state actors. This DNS evasion method allows attackers to rapidly change the DNS records associated with their malicious servers, making it difficult to track and block their activities. This tactic is used to obfuscate the location of malicious servers, enabling them to create resilient and highly available command and control infrastructures while concealing malicious operations.

Fast flux, characterized by quickly changing IP addresses linked to a single domain, exploits weaknesses in network defenses. The advisory, titled 'Fast Flux: A National Security Threat,' urges organizations, internet service providers (ISPs), and security firms to strengthen their defenses against these attacks. Service providers, especially Protective DNS providers (PDNS), are urged to track, share information, and block fast flux activity to safeguard critical infrastructure and national security.

Share: bluesky twitterx--v2 facebook--v1 threads


References :
  • CyberInsider: CISA Warns of ‘Fast Flux’ Technique Hackers Use for Evasion
  • The Register - Security: For flux sake: CISA, annexable allies warn of hot DNS threat
  • Industrial Cyber: Advisory warns of fast flux national security threat, urges action to protect critical infrastructure
  • Cyber Security News: Hackers Leveraging Fast Flux Technique to Evade Detection & Hide Malicious Servers
  • BleepingComputer: CISA, the FBI, the NSA, and international cybersecurity agencies are calling on organizations and DNS providers to mitigate the "Fast Flux" cybercrime evasion technique used by state-sponsored threat actors and ransomware gangs.
  • BleepingComputer: CISA warns of Fast Flux DNS evasion used by cybercrime gangs
  • The DefendOps Diaries: Understanding and Combating Fast Flux in Cybersecurity
  • bsky.app: CISA, the FBI, the NSA, and international cybersecurity agencies are calling on organizations and DNS providers to mitigate the "Fast Flux" cybercrime evasion technique used by state-sponsored threat actors and ransomware gangs.
  • www.csoonline.com: Cybersecurity agencies urge organizations to collaborate to stop fast flux DNS attacks
  • hackread.com: NSA and Global Allies Declare Fast Flux a National Security Threat
  • : National Security Agencies Warn of Fast Flux Threat Bypassing Network Defenses
  • www.itpro.com: Cybersecurity agencies have issued a stark message that too little is being done to sniff out malware hiding in corporate networks
  • Infoblox Blog: Disrupting Fast Flux with Predictive Intelligence
  • www.cybersecuritydive.com: Cybersecurity Dive on CISA FBI warn
  • Threats | CyberScoop: International intelligence agencies raise the alarm on fast flux
  • Infoblox Blog: Disrupting Fast Flux and Much More with Protective DNS
  • blogs.infoblox.com: Disrupting Fast Flux and Much More with Protective DNS
  • The Hacker News: Cybersecurity agencies from Australia, Canada, New Zealand, and the United States have published a joint advisory about the risks associated with a technique called fast flux that has been adopted by threat actors to obscure a command-and-control (C2) channel.
  • thecyberexpress.com: The U.S. Cybersecurity and Infrastructure Security Agency (CISA), alongside the National Security Agency (NSA), the Federal Bureau of Investigation (FBI), and international cybersecurity partners, has issued an urgent advisory titled “Fast Flux: A National Security Threat.†The advisory highlights the growing use of fast flux techniques by cybercriminals and potentially nation-state actors to evade detection and establish highly resilient and stealthy infrastructure for malicious activities.
  • Blog: Five Eyes warn threat actors increasing use of ‘fast flux’ technique
Classification:
  • HashTags: #FastFlux #DNS #Cybersecurity
  • Company: DNS Providers
  • Target: Organizations, ISPs
  • Product: DNS
  • Feature: DNS evasion
  • Type: HighRisk
  • Severity: Major

Posts

Blogs

Research Tools