Cybercriminals have learned to use abandoned web resources of well-known companies to launch phishing campaigns and distribute malware. Subdomains of Bose, Panasonic, Deloitte, and even the US Centers for Disease Control and Prevention have already fallen victim.
Cybercriminals have learned to use abandoned web resources of well-known companies to launch phishing campaigns and distribute malware. Subdomains of Bose, Panasonic, Deloitte, and even the US Centers for Disease Control and Prevention have already fallen victim.
According to Infoblox, the Hazy Hawk group is responsible for the new wave of cyberattacks. Instead of direct hacking, they are exploiting weaknesses in companies' infrastructure — in particular, undeleted DNS records left after cloud services are shut down.
A little-known but active cyber group specializing in attacks through infrastructure weaknesses. Its campaigns have been recorded in the US, Europe, and Japan.
These so-called «dangled» records allow hackers to register control over abandoned subdomains. For example, if a company has stopped using a certain service on AWS or Azure, but a DNS record still points to it, an attacker could take over that IP address — and effectively gain control of a subdomain like something.panasonic.com.
These legitimate-looking addresses then redirect users to fraudulent websites. To do this, Hazy Hawk uses traffic distribution systems (TDS) that select a «scam scenario» based on the user’s device, location, and behavior. Often, the initial domains are supposedly safe, such as share.js.org, but after a few clicks, the user receives fake virus warnings or offers to install «updates» that are actually malware.
In addition to a one-time infection, the attacks have a long-term effect. If a user allows push notifications, they will continue to receive fraudulent content for a long time.
Users should avoid allowing notifications from unfamiliar sites and clicking on suspicious links. Companies should regularly check their DNS records and remove those that point to defunct cloud services.
To do this, it is recommended to use DNS monitoring tools in conjunction with threat intelligence systems. DNS security should become a priority, not a «minor technical matter.»
Recall, we recently wrote about how the Chinese group APT41 created new malware called ToughProgress, which uses Google Calendar as a channel for communication with a command and control server.
