Infoblox uncovers a threat actor exploiting abandoned cloud resources to hijack subdomains of major organisations for scams and malware distribution. ubdomain hijacking through

Infoblox Threat Intel has tracked some of this activity to a threat actor, dubbed Hazy Hawk, that uses hijacked domains to conduct largescale scams and malware distribution. This discovery highlights the critical need for organisations to manage their DNS records and cloud resources vigilantly.

What is Hazy Hawk?

Hazy Hawk is a sophisticated threat actor that hijacks forgotten DNS records from discontinued cloud services such as Amazon S3 buckets and Azure endpoints. By taking control of these abandoned resources, Hazy Hawk is able to host malicious URLs that lead unsuspecting users to scams and malware.

Identifying vulnerable DNS records in the cloud is significantly more challenging than identifying regular unregistered domains. As cloud usage has grown, the number of abandoned‘ fire and forget’ resources has skyrocketed – especially for companies that do not use a comprehensive visibility and management solution for overseeing assets across their digital real estate.

Hazy Hawk has successfully hijacked subdomains of reputable organisations, including the US Center for Disease Control( CDC), various government agencies, universities and international companies since December 2024.

Hazy Hawk details:

• Sophisticated techniques: Unlike traditional domain hijackers, Hazy Hawk targets DNS misconfigurations in the cloud and must have access to commercial passive DNS services to do so

22 WWW. INTELLIGENTCISO. COM