CISA and FBI Warn Fast Flux is Powering Resilient Malware, C2, and Phishing Networks

"'Fast flux' is a technique used to obfuscate the locations of malicious servers through rapidly changing Domain Name System (DNS) records associated with a single domain name," the agencies said. "This threat exploits a gap commonly found in network defenses, making the tracking and blocking of malicious fast flux activities difficult."

The advisory comes courtesy of the U.S. Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), Federal Bureau of Investigation (FBI), Australian Signals Directorate's Australian Cyber Security Centre, Canadian Centre for Cyber Security, and New Zealand's National Cyber Security Centre.

Fast flux has been embraced by many a hacking group in recent years, including threat actors linked to Gamaredon, CryptoChameleon, and Raspberry Robin in an effort to make their malicious infrastructure evade detection and law enforcement takedowns.

The approach essentially entails using a variety of IP addresses and rotating them in rapid succession, while pointing to one malicious domain. It was first detected in the wild in 2007 as part of the Honeynet Project.

It can be either a single flux, where a single domain name is linked to numerous IP addresses, or double flux, where in addition to changing the IP addresses, the DNS name servers responsible for resolving the domain are also changed frequently, offering an extra layer of redundancy and anonymity for the rogue domains.

"A fast flux network is 'fast' because, using DNS, it quickly rotates through many bots, using each one for only a short time to make IP-based denylisting and takedown efforts difficult," Palo Alto Networks Unit 42 said in a report published in 2021.

Describing fast flux as a national security threat, the agencies said threat actors are using the technique to obfuscate the locations of malicious servers, as well as establish resilient C2 infrastructure that can withstand takedown efforts.

That's not all. Fast flux plays a vital role beyond C2 communications to also help assist adversaries host phishing websites, as well as stage and distribute malware.

To secure against fast flux, organizations are recommended to block IP addresses, sinkhole malicious domains, filter out traffic to and from domains or IP addresses with poor reputations, implement enhanced monitoring, and enforce phishing awareness and training.

"Fast flux represents a persistent threat to network security, leveraging rapidly changing infrastructure to obfuscate malicious activity," the agencies said. "By implementing robust detection and mitigation strategies, organizations can significantly reduce their risk of compromise by fast flux-enabled threats."

In a statement shared with The Hacker News, Renee Burton, vice president of threat intel at Infoblox, described fast flux as a "very old" technique, albeit one that requires "significant skill" to run it independently.

"It is easier to use dynamic DNS, which is a common service offering from DNS providers," Burton said. "Once the threat actor is past the hurdle of controlling the DNS, they still need hosting. They can use compromised machines or purchase a lot of hosting. We can only guess as to why this isn't common, but overall, it requires resources and thought from the actors and doesn't provide that much advantage in an attack."

Burton also pointed out that attackers can also adopt other techniques to keep their infrastructure alive for extended periods of time. This includes the use of traffic distribution systems (TDS) and domain cloaking for malicious advertising purposes. "Attackers using various components of adtech not only can hide their operations, but the bad players in the industry (akin to bullet proof hosters) can argue plausible deniability," Burton said.