Introduction

A new cybersecurity threat has emerged as the group known as Hazy Hawk is hijacking abandoned cloud resources from high-profile organizations, including major cloud platforms like Amazon S3 and Microsoft Azure. This activity exploits misconfigurations in DNS records to redirect users to scams and malware.

Key Details

• Who: Threat actor "Hazy Hawk," tracked by Infoblox
• What: Hijacking of abandoned cloud resources using DNS misconfigurations
• When: Notable incidents began as early as December 2023, gaining attention in February 2025
• Where: Targeting resources globally, including U.S. government agencies, leading universities, and corporations like Deloitte and PricewaterhouseCoopers
• Why: This hijacking not only boosts the credibility of malicious content but also allows attackers to bypass conventional detection methods
• How: By registering dangling DNS CNAME records, attackers can seize control of unused domains and redirect users via Traffic Distribution Systems (TDSes) to various scams

Why It Matters

• Enterprise Security and Compliance: The exploitation of reputable domains heightens risks for organizations, making security protocols more critical than ever.
• Cloud Adoption: Organizations may need to reevaluate their cloud resource management practices to prevent similar vulnerabilities.
• Hybrid/Multi-Cloud Strategy: Ensuring robust governance over cloud configurations is essential to maintaining security across diverse platforms.

Takeaway for IT Teams

IT managers should prioritize auditing DNS records and removing any CNAME records associated with shut-down resources. Additionally, educate end-users to refrain from granting permissions to notifications from unverified websites. Being proactive can minimize exposure to threats like those posed by Hazy Hawk.

For more curated news and infrastructure insights, visit TrendInfra.com.