Organizations are at risk of falling prey to a common network vulnerability that allows threat actors to evade detection and spread malware with impunity, law enforcement agencies have warned.
‘Fast flux’ is a domain-based technique used to hide communications sent by malware to its command and control (C2) infrastructure – the malicious servers that send out updates and new directions to malware on infected devices.
It works by repeatedly changing the DNS records for the C2 infrastructure so that no one domain is easily identifiable by the victim’s cybersecurity team.
Constantly shifting IP addresses also means that even if one is flagged as malicious and blocked, the malware can easily contact the C2 again through any number of other addresses.
To make matters harder for cybersecurity teams, the commands sent to the malware are often relayed via botnets, a swarm of infected devices. This further muddies the water when it comes to tracing signals, giving the hackers behind the C2 an extra layer of anonymity.
A more intensive method known as ‘double flux’ sees threat actors also swap out the DNS name servers used to store records for their malicious site, as an additional protection against being discovered by law enforcement.
Fast flux allows threat groups to cycle out IP addresses as many as several hundred times in a day, severely limiting the capability of security teams to pin down their malicious communications.
‘Fast flux’ techniques are being used to devastating effect
The use of fast flux techniques have been observed in Hive ransomware activity, by other ransomware groups as well as state-sponsored entities such as the Russian advanced persistent threat (APT) group, Aqua Blizzard.
The methods were laid out in an advisory issued by the Cybersecurity and Infrastructure Security Agency (CISA) alongside the National Security Agency (NSA) and Federal Bureau of Investigation (FBI).
Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC), Canadian Centre for Cyber Security (CCCS), and New Zealand’s National Cyber Security Centre (NCSC-NZ) also issues the joint warning.
The combined law enforcement agencies noted that fast flux is also used to prevent authorities from disabling social engineering websites and to keep hacking forums online.
Fighting fast flux
To mitigate the threat posed by these techniques, security experts urged all organizations to adopt protective domain name system (PDNS) services, which come with features such as DNS sinkholing.
This allows security teams to intercept and block malicious DNS requests, thereby stemming the flow of attacks and flagging infected.
PDNS services also offer advanced monitoring, filtering, and analysis. It is available via a range of providers, as well as free of charge to select services in the UK via the National Cyber Security Centre (NCSC).
“Fast flux is an ongoing, serious threat to national security, and this guidance shares important insight we’ve gathered about the threat,” said Dave Luber, NSA Cybersecurity Director.
“It is imperative cybersecurity providers, especially Protective DNS providers, follow these guidelines to safeguard critical infrastructure and sensitive information.”
In addition to their advice for all organizations, the combined agencies provided cybersecurity service providers (CSPs) and internet service providers (ISPs) with a number of techniques known to produce good results against fast flux.
This included greater reliance on intelligence feeds to flag malicious domains, better use of anomaly detection to detect domains with unusually diverse IP addresses or geolocation data, and to create advanced algorithms that can match anomalous behavior with fast flux methodology.
MORE FROM ITPRO
-
Global IT spending set to exceed $6 trillion in 2026News Several key areas are expected to drive the bulk of investment next year
-
Data engineers have never been more important, as businesses are starting to find outNews An MIT survey for Snowflake shows the changing role of data engineers – and their rise in influence
-
Cisco ASA customers urged to take immediate action as NCSC, CISA issue critical vulnerability warningsNews Cisco customers are urged to upgrade and secure systems immediately
-
Hackers are disguising malware as ChatGPT, Microsoft Office, and Google Drive to dupe workersNews Beware of downloading applications like ChatGPT, Microsoft Office applications, and Google Drive through search engines
-
Cybersecurity experts issue urgent warning amid surge in Stealerium malware attacksNews Proofpoint said Stealerium has flown under the radar for some time now, but researchers have observed a huge spike in activity between May and August this year.
-
Hackers are using AI to dissect threat intelligence reports and ‘vibe code’ malwareNews TrendMicro has called for caution on how much detail is disclosed in security advisories
-
Microsoft quietly launched an AI agent that can detect and reverse engineer malwareNews Researchers say the tool is already achieving the “gold standard” in malware classification
-
Malicious URLs overtake email attachments as the biggest malware threatNews With malware threats surging, research from Proofpoint highlights the increasing use of off-the-shelf 'phish kits' like CoGUI and Darcula
-
Warning issued as new Pakistan-based malware group hits millions globallyNews Tempting people in with offers of pirated software, the network installs commodity infostealers, according to CloudSEK
-
OpenAI is clamping down on ChatGPT accounts used to spread malwareNews Tools like ChatGPT are being used by threat actors to automate and amplify campaigns
