Cybersecurity agencies, both in the US and internationally, have raised concerns about the ongoing threat of Fast Flux enabled malicious activities. The warning, issued through a joint cybersecurity advisory on April 3, highlights the vulnerability of many networks to the use of Fast Flux techniques by malicious actors. These techniques are used to rapidly change Domain Name System (DNS) records, such as IP addresses, in order to obfuscate the locations of malicious servers and create resilient command and control infrastructure.
The advisory emphasizes the significant threat that Fast Flux poses to national security, as it can make tracking and blocking malicious activities more difficult due to its fast-changing nature. Organizations, Internet service providers, and cybersecurity service providers are being urged to take proactive steps to detect and block Fast Flux. Specifically, Protective DNS (PDNS) providers are encouraged to develop accurate detection analytics and blocking capabilities to mitigate this threat.
Government and critical infrastructure organizations are advised to work with their ISPs, cybersecurity service providers, and PDNS services to implement mitigation measures. It is crucial for organizations to use cybersecurity and PDNS services that can detect and block Fast Flux, as some providers may lack this capability. By implementing robust detection and mitigation strategies, organizations can reduce their risk of compromise by Fast Flux-enabled threats.
The advisory also points out that Fast Flux has been used in recent ransomware attacks, such as Hive and Nefilim, as well as by Russian APT Gamaredon to evade IP blocking. There are two common variants of Fast Flux – single and double flux. Single flux involves linking a single domain name to multiple IP addresses that are rotated frequently, while double flux adds an additional layer of redundancy by rapidly changing the DNS name servers responsible for resolving the domain.
Fast flux techniques make it challenging for network defenders to identify and block malicious traffic, particularly when using compromised hosts as proxies or relay points. These techniques are not only used for maintaining command and control communications but also play a role in phishing campaigns and can be promoted by bulletproof hosting providers to increase the effectiveness of malicious activities.
The joint cybersecurity advisory was issued by prominent agencies such as the US National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC), Canadian Centre for Cyber Security (CCCS), and New Zealand National Cyber Security Centre (NCSC-NZ). By following the mitigation strategies outlined in the advisory, organizations can better safeguard their networks against the ongoing threat of Fast Flux enabled malicious activities.