Threat actors are employing a technique known as ‘fast flux’ to hide the location of their malicious servers and create resilient infrastructure, cybersecurity agencies in the US and allied countries warn.
Fast flux involves the rapid change of Domain Name System (DNS) records of malicious servers, which prevents tracking. For that, threat actors link a domain name to multiple IP addresses and frequently rotate those in DNS responses.
The setup ensures that a domain remains accessible even if one of the IP addresses associated with it is taken down, thus allowing threat actors to establish persistent command-and-control (C&C) servers, cybersecurity agencies in Australia, Canada, New Zealand, and the US say.
In a joint alert (PDF), the agencies note that fast flux and other dynamic resolution techniques are employed in attacks to evade detection and ensure that malware deployed within victims’ environments can communicate with its C&C servers.
For added redundancy, threat actors may employ the ‘double flux’ technique, which involves rapidly changing both the IP addresses of a domain and the DNS name servers resolving that domain. Both Name Server (NS) and Canonical Name (CNAME) DNS records have been used with double flux.
“Both techniques leverage a large number of compromised hosts, usually as a botnet from across the internet that acts as proxies or relay points, making it difficult for network defenders to identify the malicious traffic and block or perform legal enforcement takedowns of the malicious infrastructure,” the alert reads.
Threat actors observed employing the fast flux technique include bulletproof hosting services (which host malicious activities, provide anonymity to attackers and disregard law enforcement requests), the Hive and Nefilim ransomware groups, and Russian APT Gamaredon.
In addition to maintaining C&C communication, the fast flux technique is used to prevent the takedown of websites used for phishing, as well as to ensure the availability of cybercriminal forums and marketplaces.
Some bulletproof hosting services, the authoring agencies say, promote fast flux as a service for their clients, enabling a broad range of malicious activities, beyond maintaining C&Cs.
The authoring agencies recommend that internet service providers (ISPs) and cybersecurity service providers leverage threat intelligence to identify domains and IP addresses employing fast flux; check DNS logs, DNS records, and DNS resolutions; identify large-scale communication with multiple IP addresses; develop fast flux detection algorithms; and share information with their customers.
Government and critical infrastructure organizations are advised to coordinate with ISPs, cybersecurity providers, and other protective DNS services to implement DNS and IP blocking and sinkholing, reputational filtering, and enhanced monitoring and logging.
“Fast flux represents a persistent threat to network security, leveraging rapidly changing infrastructure to obfuscate malicious activity. By implementing robust detection and mitigation strategies, organizations can significantly reduce their risk of compromise by fast flux-enabled threats,” the authoring agencies note.
Related: Morphing Meerkat Phishing Kits Target Over 100 Brands
Related: Chinese Hackers Deliver Malware via ISP-Level DNS Poisoning
Related: Attackers Use DNS Tunneling to Track Victim Activity, Scan Networks
Related: Expired Domain Allowed Researcher to Hijack Country’s TLD
