Cyber threat actors are using a new cyber technique to evade detection and maintain resilient operations, the Cybersecurity and Infrastructure Security Agency (CISA) said in a joint cybersecurity advisory issued on Thursday.
Fast flux, a domain-based technique that rapidly changes the domain name system (DNS) records associated with a single domain, is the latest threat spurring an advisory warning from CISA, the National Security Agency, the FBI, and international partners.
“When malicious cyber actors compromise devices and networks, the malware they use needs to ‘call home’ to send status updates and receive further instructions,” CISA said in its advisory. “To decrease the risk of detection by network defenders, malicious cyber actors use dynamic resolution techniques, such as fast flux, so their communications are less likely to be detected as malicious and blocked.”
When using these techniques – used in ransomware operations, phishing campaigns, and other cyberattacks – cyber actors create highly resilient command and control (C2) infrastructures that make it more difficult for cybersecurity professionals to track and block, according to the agencies.
“This advisory is meant to encourage service providers, especially Protective DNS (PDNS) providers, to help mitigate this threat by taking proactive steps to develop accurate, reliable, and timely fast flux detection analytics and blocking capabilities for their customers,” the advisory stated.
Fast flux has two variants including single flux, where a domain frequently rotates through multiple IP addresses, and double flux, which also changes the DNS name servers resolving the domain.
To detect fast flux techniques, CISA recommended leveraging threat intelligence feeds, implementing anomaly detection systems for DNS queries, analyzing time-to-live values in DNS records, monitoring for inconsistent geolocation in DNS resolution, and using flow data to identify large-scale communications with multiple IP addresses over short periods.
Phishing awareness programs, enhanced logging and monitoring, and cybersecurity community collaborations to share threat intelligence can be useful for mitigation, CISA said.
CISA also warned that while cybersecurity and PDNS services are important for detecting and blocking fast flux activity, not all providers automatically offer protection. The agency recommends organizations “contact their PDNS providers to validate coverage of this specific cyber threat.”
“CISA is pleased to join with our government and international partners to provide this important guidance on mitigating and blocking malicious fast flux activity,” said CISA Deputy Executive Assistant Director for Cybersecurity Matt Hartman. “We encourage organizations to implement the advisory recommendations to reduce risk and strengthen resilience.”