Cybersecurity agencies from Australia, Canada, New Zealand, and the United States have published a joint advisory about the risks associated with a technique called fast flux that has been adopted by threat actors to obscure a command-and-control (C2) channel.
“‘Fast flux’ is a technique used to obfuscate the locations of malicious servers through rapidly changing Domain Name System (DNS) records associated with a single domain name,” the agencies said. “This threat exploits a gap commonly found in network defenses, making the tracking and blocking of malicious fast flux activities difficult.”
The advisory comes courtesy of the U.S. Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), Federal Bureau of Investigation (FBI), Australian Signals Directorate’s Australian Cyber Security Centre, Canadian Centre for Cyber Security, and New Zealand’s National Cyber Security Centre.
Fast flux has been embraced by many a hacking group in recent years, including threat actors linked to Gamaredon, CryptoChameleon, and Raspberry Robin in an effort to make their malicious infrastructure evade detection and law enforcement takedowns.
The approach essentially entails using a variety of IP addresses and rotating them in rapid succession, while pointing to one malicious domain. It was first detected in the wild in 2007 as part of the Honeynet Project.
It can be either a single flux, where a single domain name is linked to numerous IP addresses, or double flux, where in addition to changing the IP addresses, the DNS name servers responsible for resolving the domain are also changed frequently, offering an extra layer of redundancy and anonymity for the rogue domains.
“A fast flux network is ‘fast’ because, using DNS, it quickly rotates through many bots, using each one for only a short time to make IP-based denylisting and takedown efforts difficult,” Palo Alto Networks Unit 42 said in a report published in 2021.
Describing fast flux as a national security threat, the agencies said threat actors are using the technique to obfuscate the locations of malicious servers, as well as establish resilient C2 infrastructure that can withstand takedown efforts.
That’s not all. Fast flux plays a vital role beyond C2 communications to also help assist adversaries host phishing websites, as well as stage and distribute malware.
To secure against fast flux, organizations are recommended to block IP addresses, sinkhole malicious domains, filter out traffic to and from domains or IP addresses with poor reputations, implement enhanced monitoring, and enforce phishing awareness and training.
“Fast flux represents a persistent threat to network security, leveraging rapidly changing infrastructure to obfuscate malicious activity,” the agencies said. “By implementing robust detection and mitigation strategies, organizations can significantly reduce their risk of compromise by fast flux-enabled threats.”
