Hazy Hawk deploys bogus apps and browser notifications with malicious obfuscated links.
Threat operators Hazy Hawk have been exploiting DNS misconfigurations and deserted cloud resources to take over domains, including University College London, since December 2023.
According to research by Infoblox and published by Hackread, the Center for Disease Control, the state of Alabama, the Australian Department of Health, and the University of California at Berkeley have reportedly been affected.
After registering neglected Amazon AWS S3 buckets, Azure endpoints, and other neglected cloud assets discovered via dangling DNS CNAME records for malicious URL hosting, Hazy Hawk deploys bogus apps and browser notifications with malicious obfuscated links. These then prompt several site redirections, before proceeding to a page that leads to various scams.
Such schemes have been primarily underpinned by push notifications, researchers added.
Written by
Dan Raywood is a B2B journalist with 25 years of experience, including covering cybersecurity for the past 17 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.
He has spoken at events including 44CON, Infosecurity Europe, RANT Forum, BSides Scotland, Steelcon and the National Cyber Security Show, and served as editor of SC Media UK, Infosecurity Magazine and IT Security Guru. He was also an analyst with 451 Research and a product marketing lead at Tenable.
