Article Details

CISA warns of Fast Flux DNS evasion used by cybercrime gangs. CISA, the FBI, the NSA, and international cybersecurity agencies are calling on organizations and DNS providers to mitigate the "Fast Flux" cybercrime evasion technique used by state-sponsored threat actors and ransomware gangs. Although the technique isn't new, its effectiveness has been documented and proven repeatedly in actual cyberattacks.  How Fast Flux helps with evasion Fast Flux is a DNS technique used for evading detection and maintaining resilient infrastructure used for command and control (C2), phishing, and malware delivery. It involves rapidly changing DNS records (IP addresses and/or name servers), making it hard for defenders to trace the source of malicious activity and block it. It is often powered by botnets formed by large networks of compromised systems that act as proxies or relays to facilitate these rapid switches. CISA's bulletin highlights two main types of the technique, namely Single Flux and Double Flux. When using Single Flux, attackers will frequently rotate the IP addresses associated with a domain name in DNS responses. With Double Flux, in addition to rotating IPs for the domain, the DNS name servers themselves also change rapidly, adding an extra layer of obfuscation to make takedown efforts even harder. CISA says Fast Flux is widely employed by threat actors of all levels, from low-tier cybercriminals to highly sophisticated nation-state actors. The agency highlights the cases of Gamaredon, Hive ransomware, Nefilim ransomware, and bulletproof hosting service providers, all using Fast Flux to evade law enforcement and takedown efforts that would disrupt their operations. CISA recommendations CISA has listed multiple measures to help detect and stop Fast Flux and mitigate activity facilitated by the evasion technique. The proposed detection techniques are summarized as follows:  For mitigation, CISA recommends using DNS/IP blocklists and firewall rules to block access to Fast Flux infrastructure and, where possible, sinkhole traffic to internal servers for further analysis. Using reputational scoring for traffic blocking, implementing centralized logging and real-time alerting for DNS anomalies, and participating in information-sharing networks are also encouraged. Top 10 MITRE ATT&CK© Techniques Behind 93% of Attacks Based on an analysis of 14M malicious actions, discover the top 10 MITRE ATT&CK techniques behind 93% of attacks and how to defend against them.