A Technique Used by Nation-States and Ransomware Groups to Hide Operations
A technique that hostile nation-states and financially motivated ransomware groups are using to hide their operations poses a threat to critical infrastructure and national security, the National Security Agency has warned.
Fast Flux: A Technique to Hide Infrastructure and Survive Takedown Attempts
The technique is known as fast flux. It allows decentralized networks operated by threat actors to hide their infrastructure and survive takedown attempts that would otherwise succeed. Fast flux works by cycling through a range of IP addresses and domain names that these botnets use to connect to the Internet. In some cases, IPs and domain names change every day or two; in other cases, they change almost hourly. The constant flux complicates the task of isolating the true origin of the infrastructure. It also provides redundancy. By the time defenders block one address or domain, new ones have already been assigned.
A Significant Threat
“This technique poses a significant threat to national security, enabling malicious cyber actors to consistently evade detection,” the NSA, FBI, and their counterparts from Canada, Australia, and New Zealand warned Thursday. “Malicious cyber actors, including cybercriminals and nation-state actors, use fast flux to obfuscate the locations of malicious servers by rapidly changing Domain Name System (DNS) records. Additionally, they can create resilient, highly available command and control (C2) infrastructure, concealing their subsequent malicious operations.”
Wildcard DNS Records: A Key Means of Achieving Fast Flux
A key means for achieving this is the use of Wildcard DNS records. These records define zones within the Domain Name System, which map domains to IP addresses. The wildcards cause DNS lookups for subdomains that do not exist, specifically by tying MX (mail exchange) records used to designate mail servers. The result is the assignment of an attacker IP to a subdomain such as malicious.example.com, even though it doesn’t exist.
Conclusion
The use of fast flux by nation-states and ransomware groups poses a significant threat to national security and critical infrastructure. It is essential for defenders to be aware of this technique and take steps to detect and mitigate its effects.
Frequently Asked Questions
Q: What is fast flux?
A: Fast flux is a technique used by threat actors to hide their infrastructure and survive takedown attempts by cycling through a range of IP addresses and domain names.
Q: Why is fast flux a significant threat?
A: Fast flux allows malicious actors to evade detection and create resilient, highly available command and control infrastructure, concealing their subsequent malicious operations.
Q: How does fast flux work?
A: Fast flux works by rapidly changing DNS records, causing IP addresses and domain names to change frequently, making it difficult to isolate the true origin of the infrastructure.
Q: What is the impact of fast flux on national security?
A: The use of fast flux by nation-states and ransomware groups poses a significant threat to national security, enabling malicious actors to consistently evade detection and conduct malicious operations.
