Share this article on:
Powered by MOMENTUMMEDIA
Breaking news and updates daily.
The domain-hopping technique is being used to obfuscate malicious command and control and hacking activity.
Cyber security agencies from all Five Eyes nations released an advisory overnight warning network defenders and service providers of an evasion and obfuscation technique known as “fast flux”.
The joint warning, dated 3 April, was on behalf of the National Security Agency, the FBI, the Australian Signals Directorate’s Australian Cyber Security Centre, the Canadian Centre for Cyber Security, and New Zealand’s National Cyber Security Centre.
Fast flux is a technique whereby malicious server infrastructure can be hidden by the rapid changing of DNS records, and it is used by both criminal and nation-state actors alike.
“Additionally, [hackers] can create resilient, highly available command and control (C2) infrastructure, concealing their subsequent malicious operations,” the advisory said.
“This resilient and fast-changing infrastructure makes tracking and blocking malicious activities that use fast flux more difficult.”
The single flux technique links a single domain name to several IP addresses, which are rapidly rotated through DNS responses. One IP may be taken down, but others will still be available to the malicious domain.
Double flux, on the other hand, rapidly changes both IP addresses and DNS name servers, providing a second layer of security for malicious operations.
“Both techniques leverage a large number of compromised hosts, usually as a botnet from across the internet that acts as proxies or relay points, making it difficult for network defenders to identify the malicious traffic and block or perform legal enforcement takedowns of the malicious infrastructure,” the advisory says.
“Numerous malicious cyber actors have been reported using the fast flux technique to hide C2 channels and remain operational.”
The technique is commonly used by so-called bulletproof hosting services that specialise in hosting malicious content, ransomware operators, and Russian threat actor Gamaredon. Fast flux can even be used to bolster phishing campaigns by making fake websites more resilient to takedowns.
To learn more about the technique and how to defend against it, you can read the full advisory here.
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.
Be the first to hear the latest developments in the cyber industry.