A technique that hostile nation-states and financially motivated ransomware groups are using to hide their operations poses a threat to critical infrastructure and national security, the National Security Agency has warned.
The technique is known as fast flux. It allows decentralized networks operated by threat actors to hide their infrastructure and survive takedown attempts that would otherwise succeed.
Fast flux works by cycling through a range of IP addresses and domain names that these botnets use to connect to the Internet. In some cases, IPs and domain names change every day or two; in other cases, they change almost hourly. The constant flux complicates the task of isolating the true origin of the infrastructure. It also provides redundancy. By the time defenders block one address or domain, new ones have already been assigned.
A significant threat - “This technique poses a significant threat to national security, enabling malicious cyber actors to consistently evade detection,” the NSA, FBI, and their counterparts from Canada, Australia, and New Zealand warned last week.
“Malicious cyber actors, including cybercriminals and nation-state actors, use fast flux to obfuscate the locations of malicious servers by rapidly changing Domain Name System (DNS) records. Additionally, they can create resilient, highly available command and control (C2) infrastructure, concealing their subsequent malicious operations.”
A key means for achieving this is the use of Wildcard DNS records. These records define zones within the Domain Name System, which map domains to IP addresses. The wildcards cause DNS lookups for subdomains that do not exist, specifically by tying MX (mail exchange) records used to designate mail servers. The result is the assignment of an attacker IP to a subdomain such as malicious.example.com, even though it doesn’t exist.
Fast flux comes in two variations. Single flux creates DNS A records or AAAA records to map a single domain to many IPv4 or IPv6 addresses, respectively.
Here’s a diagram illustrating the structure.
Double flux provides an additional layer of obfuscation and resiliency by, in addition to changing IP addresses, cycling through the DNS name servers used in domain lookups. Defenders have observed double flux using both Name Server (NS) and Canonical Name (CNAME) DNS records. Here’s an illustration of the technique.
“Both techniques leverage a large number of compromised hosts, usually as a botnet from across the Internet that acts as proxies or relay points, making it difficult for network defenders to identify the malicious traffic and block or perform legal enforcement takedowns of the malicious infrastructure,” Thursday’s advisory explained. Examples of fast flux use in the wild include:
- So-called bulletproof hosting services—which offer hardened Internet hosting services to crime-based groups—that provide fast fluxas a means of differentiating themselves from competitors
- Ransomware attacks from groups such as Hiveand Nefilim
- Use of the technique by a Kremlin-backed actor known as Gamaredon
The advisory provides several defenses organizations of all sizes should employ to detect and block fast flux networks.
Source: NSA warns “fast flux” threatens national security. What is fast flux anyway? - Ars Technica
This article is shared at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. We provide indicators of compromise information via a notification service (RedXray) or an analysis service (CTAC). For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@redskyalliance.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www.redskyalliance.org/
- Website: https://www.redskyalliance.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5207428251321676122
Comments