Cyber security agencies from Australia, Canada, New Zealand and the United States have published a joint advice on the risks associated with a technology called fast flux that has been adopted by danger actors to obscure a command-end control (C2) channel.
The agencies said, “Fast flux” is a technique that is used to disrupt malicious server locations through a domain name system (DNS) record associated with single domain name. ” “This danger usually exploits a gap found in network defense, making it difficult to trekking and blocking malicious sharp flow activities.”
The advisory comes from the US Cyber Security and Infrastructure Security Agency (CISA), National Security Agency (NSA), Federal Bureau of Investigation (FBI), Australian Signal Directorate’s Australian Cyber Security Center, Canadian Center for Cyber Security and New Zealand’s National Cyber Security Center.
In recent years, fast flux has been embraced by several hacking groups, which includes the danger actors associated with Gamerdon, Cryptochelon, and Raspberry Robin, have been included in an attempt to escape their malicious infrastructure and create law enforcement.
The approach essentially rotates them into rapid succession using a variety of IP address and pointing to a malicious domain. It was first found in Wildlie in 2007 as part of The Honeynet Project.
It can be either a single flux, where a single domain name is associated with multiple IP addresses, or double flux, where in addition to changing IP addresses, DNS name servers responsible for solving the domain also often change, offer an additional layer of excesses and an extra layer of oblique to evil domains.
“A fast flux network is’ fast”, because using DNS, it quickly rotates through several bots, each one to use only an IP-based denilisting and takedown efforts for a short time, “Palo Alto Network Unit 42 said in a report published in 2021.
Describing the rapid flow as a national security threat, agencies said that the actor of danger is using technology to disrupt the locations of the malicious server, as well as establish flexible C2 infrastructure that can withstand Tekdown efforts.
This is not all. Fast flux C2 plays an important role beyond communication to help distribute the platform and malware along with fishing websites.
To protect against rapid flow, organizations are recommended to block IP addresses, block the synchronous malicious domain, filter traffic with poor reputation from domains or IP addresses, apply increased monitoring and apply fishing awareness and training.
The agencies said, “Fast flux represents constant threat to network safety, taking advantage of rapidly changing infrastructure to increase malicious activity.” “By implementing strong detections and mitigation strategies, organizations can significantly reduce their risk of agreement by rapid flow-enabled hazards.”
