Cybersecurity agencies in Australia, Canada, New Zealand and the US have released a joint advisory on risks related to a method called FAST flux employed by threat defenders.
“Fast Flux is a technique used to obfuscate malicious server locations via rapidly changing domain name system (DNS) records associated with a single domain name,” the agency said. “This threat exploits the gaps commonly found in network defense, making it difficult to track and block malicious high-speed flux activity.”
This consultation is provided by the United States Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), Federal Investigation Agency (FBI), Australian Cybersecurity Centre of the Australian Signals Agency, Canada’s Cybersecurity Centre, and New Zealand’s National Cybersecurity Centre.
Fast Flux has been adopted by many hacking groups, including threat actors associated with Gummerderson, Cryptochameleon and Raspberry Robin, and strives to avoid malicious infrastructure and takedowns for law enforcement.
This approach involves using essentially different IP addresses to quickly rotate them consecutively while pointing to one malicious domain. It was first detected in Wild in 2007 as part of the Honeynet project.
If it’s a single flux and a single domain name is linked to many IP addresses or is Double Flux, in addition to changing the IP address, the DNS name server that resolves the domain is also frequently changed, providing an additional layer of redundancy and anonymity for the Rogue domain.
“High-speed flux networks are “fast.” Because using DNS, it quickly spins many bots, each of which makes it difficult to use in a short time to make IP-based denilist and takedown efforts difficult.”
The agency describing high-speed flux as a national security threat said it has used the technique to establish a resilient C2 infrastructure that can obfuscate malicious server locations and withstand takedown efforts.
That’s not all. Fast Flux plays an important role beyond C2 communication, helping enemies host phishing websites and helping them set up and distribute malware.
Organizations are recommended to block IP addresses, sloppy malicious domains, filter out traffic with poorly-reputed domains, enhance surveillance, and implement phishing awareness and training to ensure fast flux.
“Fast flux represents a persistent threat to network security, leveraging rapidly changing infrastructure to obfuscate malicious activity,” the agency said. “By implementing robust detection and mitigation strategies, organizations can significantly reduce the risk of compromise through the threat of fast flux response.”
Source link
