It sounds like another Vin Diesel movie, but that’s not why agencies around the world are warning of a new “fast flux” threat.
A joint advisory from six cyber orgs, including the NSA, CISA, and Canadian Centre for Cyber Security (CCCS), urged cyber pros and ISPs to collaborate against a dodgy tactic that’s dodging detections.
If the Domain Name System (DNS) is the internet’s phonebook, translating dot-com domains into the numbered IP addresses that computers understand, think of “fast flux” as a way for threat actors to call home from different numbers.
Malicious cyber actors, including cybercriminals and nation-state actors, use the flux to change IP addresses and “obfuscate the locations of malicious servers,” the advisory began.
“This technique poses a significant threat to national security, enabling malicious cyber actors to consistently evade detection,” CISA wrote in its April 3 advisory.
How it works. Some malware calls back to a domain (“ransomware dot com,” let’s say), signaling a successful compromise to a domain’s command and control, or C2, server. Security researchers monitoring network traffic can block a malicious IP or domain if they notice infected hosts calling back to that server.
Fast flux, however, offers a moving-target challenge for IT pros, John Paul Cunningham, chief information security officer at identity-security company Silverfort, said.
“How can you block an IP that’s constantly rotating or changing? You can’t,” he told us.
In a “single flux” attack, according to the cross-agency memo, one domain is linked to numerous IP addresses, rotated as frequently as “every 5 minutes.” “This setup ensures that if one IP address is blocked or taken down, the domain remains accessible through the other IP addresses,” the report said.
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
What’s all the fluss about? Security researchers who spoke with IT Brew could only guess why the agencies would warn of a decades-old cyber tactic used by ransomware groups like Nefilim and Hive (reportedly disrupted in 2022 after amassing over $100 million in ransomware payments).
Nick Hyatt, senior threat intelligence analyst at cybersecurity advisory GuidePoint Security, estimates that the warning coincides with an expanding of operations for cybercriminals—threat actors moving on from specific targeting to “larger swathes of victims” requiring a larger infrastructure.
“One thing that does trend within cybersecurity is that everything old is new again. This is an established technique that works and then can be used by these threat actors to mask that infrastructure,” he said.
The joint advisory called out a category of providers known as bulletproof hosters who “promote fast flux as a service differentiator that increases the effectiveness of their clients’ malicious activities.”
While the joint advisory offered additional recommendations like blocking known bad addresses and implementing anomaly detection systems for DNS query logs that show frequent IP address changes, Hyatt sees the problem that not just the IT pro can solve.
“It’s something that really has to be solved at the provider level, rather than something that just an end user in an organization can do,” Hyatt said.