International intelligence agencies raise the alarm on fast flux – CyberScoop

International intelligence and cybersecurity agencies jointly issued a warning Thursday about “fast flux,” an advanced technique used by cybercriminals and state-sponsored actors to evade detection and maintain resilient command and control infrastructure.
Fast flux involves rapidly changing or swapping out IP addresses linked to a particular domain. These quick changes render malicious activity nearly invisible to defensive measures. When fast flux is used, the domain names associated with these ever-changing IP addresses act as proxies, facilitating a wide array of cybercriminal activities.
The advisory was issued by the NSA along with the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC), the Canadian Centre for Cyber Security (CCCS), and the New Zealand National Cyber Security Centre (NCSC-NZ).
“Fast flux is an ongoing, serious threat to national security, and this guidance shares important insight we’ve gathered about the threat,” said NSA Cybersecurity Director Dave Luber.
The sheer number of IP addresses used in fast flux operations makes it a formidable challenge for cybersecurity professionals. Often reaching into the hundreds of thousands, these IP addresses are connected to a DNS record for minutes before being swapped out for another. This rapid turnover creates a scenario akin to searching for needles in a constantly shifting haystack, where both human observers and automated systems struggle to keep up with the changes.
Furthermore, malicious actors make it harder to detect by using legitimate cloud service providers as a front to their operations. By blending malicious traffic with legitimate-looking data, these actors make it exceedingly tough for defenders to distinguish between harmful and benign activities.
While the speed and sophistication of fast flux tactics make real-time interception nearly impossible, certain behavioral indicators can serve as warnings of malicious intent. These include the bulk procurement of domain names, the use of fake registration details for nameservers, and the rapid alteration of IP addresses associated with these domains.
Intelligence agencies have observed fast flux being used across multiple threat vectors. Bulletproof hosting services, which disregard law enforcement requests and abuse notices, often offer fast flux as a service differentiator to help clients evade blocking.
The technique has been documented in ransomware attacks, including those by Hive and Nefilim. Nation-state actors such as Gamaredon have employed fast flux to limit the effectiveness of IP blocking during their operations.
The advisory advocates for the implementation of a multi-layered detection and mitigation approach among protective DNS (PDNS) providers to close network defense gaps.
“Service providers, especially Protective DNS providers, should track, share information about, and block fast flux as part of their provided cybersecurity services,” an advisory from CISA reads. “Government and critical infrastructure organizations should close this ongoing gap in network defenses by using cybersecurity and PDNS services that block malicious fast flux activity.”
You can read the full advisory here.
The post International intelligence agencies raise the alarm on fast flux appeared first on CyberScoop.
–
Read More – CyberScoop