Misconfigured DNS entries: URLs from Bose and Co contaminated with malware
Cyber criminals are using URLs of reputable providers on a large scale to spread their malware. One vector here is apparently incorrect DNS configuration.
(Image: janews/Shutterstock.com)
“Check the URL before clicking on the link” is a golden rule to protect yourself against cyberattacks of various kinds – Unfortunately, it only helps to a limited extent against a new gang called “Hazy Hawk”: cyber criminals have managed to use numerous subdomains of well-known companies to spread malware and the like. The gateway was apparently incorrectly configured DNS entries – which often were probably simply forgotten by their rightful owners.
According to a report by IT security company Infoblox, companies affected include Bose, Panasonic, and even the US Centers for Disease Control and Prevention (CDC). According to Infoblox, the discovery of Hazy Hawk was made by IT journalist Brian Krebs. “He alerted us to the fact that the CDC domain cdc[.]gov suddenly contained dozens of URLs linking to porn videos,” the authors write. These were visible in the search engine results and therefore contained references to the CDC in the search metadata. The pages therefore appear in search results as if they really came from the authority. The criminals are also trying to spread other things, such as fake antivirus software, via their victims' subdomains.
Targeting “dangling entries”
Instead of relying on bruteforce or phishing to gain control of its victims' networks, Hazy Hawk appears to be exploiting old, unused cloud resources associated with misconfigured DNS CNAME records, also known as “dangling” records.
They occur when an organization decommissions its capacity on cloud services such as Azure or AWS, but fails to update or delete the DNS record that points to it. These entries are often simply forgotten by the owners – but they become dangerous targets that cyber criminals can use to spread their malicious content. What is particularly dangerous about this scam is that many common security systems do not even point out such misconfigurations.
Videos by heise
Redirection to a network of fraudulent sites
The Hazy Hawk actors went even further: from the hijacked subdomains, they often automatically redirect visitors to malicious websites. They used so-called Traffic Distribution Systems (TDS) for this purpose. These are designed to deliver the appropriate scam pages depending on the end device, location, and user behavior. The redirection typically starts from legitimate-looking blogs or developer sites before the odyssey through a network of fraudulent sites begins. If users allow push notifications from such sites, the risk increases even further. Therefore, what is already true applies even more: untrustworthy sites should not be allowed to send push notifications.
In addition, users should be wary of tempting emails with discount offers etc. – even if they refer to reputable domains – if the offer actually looks too good to be genuine.
“DNS hygiene” required
Organizations should pay more attention to “DNS hygiene” – and urgently take care of outdated DNS entries. As DNS is not yet widely understood as a vector for cyberattacks, this method often goes unrecognized for a long time.
According to Infoblox, identifying abandoned cloud resources is much more difficult than identifying unregistered domains, for example. Every cloud provider handles missing resources differently. Some large cloud providers such as Azure have even implemented special mechanisms to prevent hijacking, even if a “dangling record” exists. Meanwhile, Hazy Hawk uses URLs that are particularly difficult to find according to the authors – which is why they assume that the gang has extended access to the corresponding DNS data.
(nen)
