CISA, the FBI, the NSA, and international cybersecurity agencies are calling on organizations and DNS providers to mitigate the "Fast Flux" cybercrime evasion technique used by state-sponsored threat actors and ransomware gangs. For mitigation, CISA recommends using DNS/IP blocklists and firewall rules to block access to Fast Flux infrastructure and, where possible, sinkhole traffic to internal servers for further analysis. The agency highlights the cases of Gamaredon, Hive ransomware, Nefilim ransomware, and bulletproof hosting service providers, all using Fast Flux to evade law enforcement and takedown efforts that would disrupt their operations. CISA has listed multiple measures to help detect and stop Fast Flux and mitigate activity facilitated by the evasion technique. With Double Flux, in addition to rotating IPs for the domain, the DNS name servers themselves also change rapidly, adding an extra layer of obfuscation to make takedown efforts even harder. CISA's bulletin highlights two main types of the technique, namely Single Flux and Double Flux. Fast Flux is a DNS technique used for evading detection and maintaining resilient infrastructure used for command and control (C2), phishing, and malware delivery. When using Single Flux, attackers will frequently rotate the IP addresses associated with a domain name in DNS responses. CISA says Fast Flux is widely employed by threat actors of all levels, from low-tier cybercriminals to highly sophisticated nation-state actors. Bill Toulas Bill Toulas is a tech writer and infosec news reporter with over a decade of experience working on various online publications, covering open-source, Linux, malware, data breach incidents, and hacks.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Thu, 03 Apr 2025 19:40:19 +0000