{"id":3255,"date":"2025-05-21T02:27:58","date_gmt":"2025-05-21T02:27:58","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=3255"},"modified":"2025-05-21T02:27:58","modified_gmt":"2025-05-21T02:27:58","slug":"poor-dns-hygiene-is-leading-to-domain-hijacking","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=3255","title":{"rendered":"Poor DNS hygiene is leading to domain hijacking"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

Threat actors continue to find ways of hijacking domains thanks to poor DNS record-keeping and misconfigurations by administrators, a hole that CSOs have to plug or risk financial or reputational damage to their organizations.<\/p>\n

The latest example of the risk came in a report today from Infoblox<\/a> on a threat actor it calls Hazy Hawk, which it says took over the subdomains of the US Centers for Disease Control and Prevention (CDC) in February and used them to host dozens of URLs that pointed to porn videos. This person or gang has been finding gaps in DNS records since at least December 2023, victimizing large universities and international firms.<\/p>\n

\u201cHazy Hawk finds gaps in DNS records that are quite challenging to identify,\u201d says the report, \u201cand we believe they must have access to commercial passive DNS services to do so.\u201d<\/p>\n

The hijacked domains are used to host large numbers of URLs that send users to sites hosting scams and malware by way of different traffic distribution systems (TDSs), the report says.<\/p>\n

The integration of malicious push notifications to fool end users in the attack chain acts as a force multiplier, it adds. These notifications try to convince employees to click on a link to update their anti-virus, turn on their firewall, or contact Microsoft support. The links, of course, download malware or lead to sites demanding payment for support.<\/p>\n

\u201cPerhaps the most remarkable thing about Hazy Hawk is that these hard-to-discover, vulnerable domains with ties to esteemed organizations are not being used for espionage or \u2018highbrow\u2019 cybercrime,\u201d the report says. \u201cInstead, they feed into the seedy underworld of adtech, whisking victims to a wide range of scams and fake applications, and using browser notifications to trigger processes that will have a lingering impact. Hazy Hawk is indicative of the lengths scam artists will go to get a portion of the multi-billion-dollar fraud market.\u201d<\/p>\n

Abandoned site<\/h2>\n

In the case of the CDC, Infoblox believes the centre had abandoned an Azure-hosted website or content bucket it was using, but didn\u2019t tell the DNS management admin. That allowed the threat actor to find what experts call the site\u2019s \u201cdangling\u201d DNS record.<\/p>\n

The problem involves the complex way DNS records point to an IP address. What\u2019s called an A record maps a website name to one or more IP addresses. What\u2019s called a CNAME record maps a name to another name. It\u2019s used when, for example, an organization that starts using \u201cfirm.com\u201d needs to also have \u201cfirmus.com,\u201d or if \u201cfirm.com\u201d buys another company and wants users who type the acquired company\u2019s name into their browser address bar to automatically go to \u201cfirm.com.\u201d But if the CNAME record of that subdomain is dropped by the website team without notifying the DNS team, and a threat actor finds it, they register and can grab it.<\/p>\n

But, notes Infoblox, finding a dangling CNAME record needs skill, which apparently Hazy Hawk has.<\/p>\n

\u201cHazy Hawk and other cloud resource hijacking actors are likely doing significant manual work to validate vulnerable domains due to the various ways each cloud provider handles dropped resources,\u201d says the report.<\/p>\n

In addition, Hazy Hawk obfuscates the URLs it takes over to hide which cloud resource was hacked, and often redirects victims to a second domain it controls for hosting malicious content.<\/p>\n

DNS hijacking comes in many forms<\/h2>\n

DNS hijacking comes in many forms. In 2019, CSO inteviewed Paul Vixie<\/a>, a DNS system contributor, about the need to strengthen security. We later wrote about the problem of abandoned domain names<\/a>. And things haven\u2019t changed a lot since then. Most CISOs may be familiar with typosquatting, where \u201cfirm.com\u201d has to compete with \u201cfirm.co.\u201d Threat actors also try to steal DNS admin credentials to take over accounts.<\/p>\n

Domain hijacking is relatively easy to do, commented Robert Beggs of Canadian incident response provider DigitalDefence. \u201cThese attacks are rarely noticed by the domain owner until it is too late,\u201d he said in an email to CSO.<\/p>\n

They succeed due to the shared responsibility of domain name management,\u201d he wrote.\u00a0\u201cDomain name holders (the business), domain registrars, DNS providers, and web hosting companies must ensure that domain names are accurate. In the case of Hazy Hawks, it appears that an automated attack exploited weak or improperly configured CNAME records to permit domain hijacking. Surprisingly, in spite of the breadth of the attack, no one appeared to have noticed that it was happening, indicating that traditional detection systems are not keeping pace with emerging attacks.\u201d<\/p>\n

Preventing this type of attack requires the domain users to properly authorize and manage their domains, Beggs said.\u00a0Domain names are a large attack surface distributed across multiple entities with varying degrees of responsibility.\u00a0<\/p>\n

\u201cThis is an attack that has been known since at least 2016, highlighting the need for domain owners to have a stronger control on domains that they are responsible for.\u00a0 Presently, domains are generally managed as being either live or expired, and this level of basic control is poorly implemented.\u00a0 New tools are required to have stronger authentication, support long-term management, and provide alerts for changes to domain records,\u201d Beggs said.<\/p>\n

Problem \u2018getting bigger\u2019<\/h2>\n

The problem of dangling CNAME records \u201cis getting bigger and bigger,\u201d Infoblox report co-author Ren\u00e9e Burton, the company\u2019s vice-president of threat intelligence, told CSO.<\/p>\n

\u201cThis is really hard for security vendors\u201d to fix, she added, \u201dbecause everything along the [DNS] chain is legitimate\u201d once the dangling CNAME record has been captured by a threat actor.<\/p>\n

The security market and cloud providers will eventually offer solutions for this problem, she predicted, adding that Azure has already put in some protections against this kind of hijacking.<\/p>\n

But, ultimately, CISOs have to have processes for DNS hygiene, Burton said. \u201cIn the end, it comes down to the enterprise straightening out their records and services.\u201d<\/p>\n

In its report, Infoblox warns admins that DNS hijacking is common after mergers and acquisitions, when IT and DNS admins may not know all the assets they have.<\/p>\n

The researchers also say domain owners can protect themselves against DNS hijacking by making sure their DNS records are well managed \u2013 which can be difficult, it admits, in multi-national organizations where management of projects, domain registration and DNS records may be in separate organizations.<\/p>\n

\u201cWe recommend the establishment of processes that trigger a notification to remove a DNS CNAME record whenever a resource is shut down, as well as tracking active resources,\u201d the report says.<\/p>\n

As for making sure employees aren\u2019t suckered, Infoblox says staff should be urged to deny push notification requests from websites they don\u2019t know. Unwanted notifications can be turned off in browser settings, the report adds.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

Threat actors continue to find ways of hijacking domains thanks to poor DNS record-keeping and misconfigurations by administrators, a hole that CSOs have to plug or risk financial or reputational damage to their organizations. The latest example of the risk came in a report today from Infoblox on a threat actor it calls Hazy Hawk, […]<\/p>\n","protected":false},"author":0,"featured_media":3256,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-3255","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/3255"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3255"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/3255\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/3256"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3255"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3255"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3255"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}