Cybersecurity agencies from Australia, Canada, New Zealand, and the United States have recently published a joint advisory regarding the risks associated with the fast flux technique, which threat actors have adopted to obscure command-and-control (C2) channels.
According to the agencies, the fast flux technique involves rapidly changing Domain Name System (DNS) records associated with a single domain name to obfuscate the locations of malicious servers. This approach exploits a common gap in network defenses, making it challenging to track and block malicious fast flux activities.
The advisory was issued by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), Federal Bureau of Investigation (FBI), Australian Signals Directorate’s Australian Cyber Security Centre, Canadian Centre for Cyber Security, and New Zealand’s National Cyber Security Centre.
Fast flux has been increasingly used by various hacking groups, including those linked to Gamaredon, CryptoChameleon, and Raspberry Robin, to evade detection and law enforcement takedowns. This technique involves using multiple IP addresses and rotating them rapidly while pointing to a single malicious domain.
There are two types of fast flux: single flux, where a single domain name is linked to multiple IP addresses, and double flux, where the DNS name servers responsible for resolving the domain are also changed frequently, providing an additional layer of redundancy and anonymity for rogue domains.
“A fast flux network is characterized by its rapid rotation of bots, using each one for a short time to make IP-based denylisting and takedown efforts challenging,” explained Palo Alto Networks Unit 42 in a 2021 report.
The agencies describe fast flux as a national security threat, as it allows threat actors to obfuscate the locations of malicious servers and establish resilient C2 infrastructure that can withstand takedown efforts.
Beyond C2 communications, fast flux also plays a crucial role in hosting phishing websites and staging and distributing malware.
To protect against fast flux, organizations are advised to block IP addresses, sinkhole malicious domains, filter out traffic to and from domains or IP addresses with poor reputations, implement enhanced monitoring, and enforce phishing awareness and training.
“Fast flux represents a persistent threat to network security, leveraging rapidly changing infrastructure to obfuscate malicious activity,” the agencies warned. “By implementing robust detection and mitigation strategies, organizations can significantly reduce their risk of compromise by fast flux-enabled threats.”
