Infoblox uncovers new threat actor exploiting abandoned cloud assets for scams and malware
A newly identified threat actor, dubbed Hazy Hawk, is exploiting abandoned cloud resources to hijack subdomains of major organizations, including government agencies, universities, and multinational companies. The revelation, made by Infoblox Threat Intelligence, underscores an urgent cybersecurity gap: unmanaged DNS records tied to discontinued cloud services.
Hazy Hawk leverages forgotten DNS entries from platforms such as Amazon S3 and Microsoft Azure, weaponizing these neglected assets to host malicious URLs. Victims are funneled into a web of scams, including fake advertisements and push notification traps, which often deliver malware or steal sensitive data.
Unlike traditional domain hijackers, Hazy Hawk operates with precision and sophistication. Infoblox researchers report that the group likely has access to commercial passive DNS services, enabling them to locate and exploit vulnerable assets with surgical accuracy.
“This is a wake-up call for every organization using cloud services — DNS hygiene is no longer optional.”
The threat has been active since at least December 2024, with confirmed cases of subdomain hijacking affecting major entities such as the U.S. Centers for Disease Control and Prevention (CDC). The impact extends globally, with millions of users exposed to scams — many of them targeting vulnerable populations such as the elderly in the U.S.
Key Threat Characteristics:
- Cloud Misconfigurations: Targets DNS records linked to decommissioned cloud infrastructure — often overlooked by IT teams.
- Global Reach: Affects domains of trusted institutions, increasing the credibility of the scams.
- Obfuscation Tactics: Employs redirects, layered domain routing, and URL masking to avoid detection.
- Economic Fallout: Fuels a growing fraud market valued in billions of dollars annually.
How to Defend Against Hazy Hawk
Infoblox recommends organizations:
- Conduct regular DNS audits, especially focusing on cloud-linked records.
- Implement automated asset visibility tools for better oversight of digital infrastructure.
- Educate users to avoid interacting with suspicious push notifications or unfamiliar links.
- Decommission abandoned services properly, ensuring associated DNS records are promptly removed.
The emergence of Hazy Hawk shines a spotlight on the rising risk of “set-it-and-forget-it” cloud deployments. As organizations scale their digital operations, maintaining DNS hygiene must be prioritized to prevent costly breaches.
