The FBI, the Cybersecurity and Infrastructure Security Agency, and a group of international partners have warned that cyber threat groups are utilising a technique known as "fast flux" to conceal the whereabouts of malicious servers, which poses a substantial threat to national security.
Authorities have warned that both criminal and state-linked threat outfits have exploited Domain Name System records that change frequently to obscure the locations of these servers. They can also build extremely resilient command and control (C2) infrastructure to mask their malicious activities, particularly when dealing with botnets.
Security officials also stated that fast flux techniques are utilised not only for C2 communications, but also in phishing attempts to prevent social engineering websites from being blacklisted or taken down.
Authorities did not directly identify any threat actors currently employing the approach or indicate whether a campaign utilising fast flux is underway. They did, however, make reference to earlier activities, pointing out that fast flux was utilised in ransomware attacks connected to Hive and Nefilim. The advisory further claims that Gamaredon, a threat actor supported by Russia, has concealed threat activity using rapid flux.
According to Andy Piazza, senior director of threat intelligence at Unit 42 of Palo Alto Networks, quick flux is a tactic used by attackers to put a financial burden on security operations teams by making it extremely expensive and challenging to identify ongoing threat activities.
Piazza stated that Trident Ursa employed fast flux during the early stages of Russia's invasion of Ukraine. According to Piazza, fast flux enables an opponent to quickly modify their infrastructure by changing hundreds of domains per minute.
The advisory notes that there are two variations of the method known as single flux and double flux. Multiple IP addresses are linked to a single domain name using single flux. Double Flux modifies the DNS name server in addition to the domain name.
Prevention tips
Authorities recommended a number of actions to recognise and mitigate the activity:
- Configure anomaly detection systems for DNS query logs.
- Employ threat intelligence feeds to detect known fast flux domains and associated IP addresses.
- Increase the logging and monitoring of DNS traffic.
- Consider sinkholing a hostile domain.