US, Australia, Canada warn of ‘fast flux’ scheme used by ransomware gangs

Ransomware gangs and Russian government hackers are increasingly turning to an old tactic called “fast flux” to hide the location of infrastructure used in cyberattacks.

Cybercriminals and nation-state actors use the fast flux technique to rapidly change the Domain Name System (DNS) records associated with a single domain name — hiding the locations of malicious servers, according to an advisory published on Thursday by cybersecurity agencies in the U.S., Australia, Canada and New Zealand.

Officials explained that malicious actors hack into devices and networks using malware that needs to “call home” to threat actors and send status updates or receive further instructions. 

“To decrease the risk of detection by network defenders, malicious cyber actors use dynamic resolution techniques, such as fast flux, so their communications are less likely to be detected as malicious and blocked,” the agencies said. 

“Fast flux refers to a domain-based technique that is characterized by rapidly changing the DNS records (e.g., IP addresses) associated with a single domain.”

Matt Hartman, deputy executive assistant director for cybersecurity at the Cybersecurity and Infrastructure Security Agency (CISA), said the tactic also makes individual computers in a botnet harder to find and block. 

The tactic is advantageous to hackers because as a fast flux network rapidly rotates through botnet devices, it is difficult for law enforcement to process the changes quickly and disrupt their services.  

It also renders IP blocking ineffective and irrelevant, allowing criminals to maintain resilient operations and anonymity. Fast flux has also played a pivotal role in phishing campaigns, making it nearly impossible for defenders to block or take down social engineering websites.

Experts told Recorded Future News that the tactic has been used for over a decade by cybercriminals while some hacker forums and marketplaces use fast flux to limit the impact of law enforcement takedowns. 

Casey Ellis, founder of Bugcrowd, listed several past instances dating back to 2007 of botnets using fast flux to obscure the location of its servers.  

What is new, according to Ellis, is how refined it has become and the “broader spectrum” of threat actors leveraging it to evade defense systems. 

“The resurgence of the technique adaptation by nation-state actors has prompted heightened alert,” Ellis said.

Single and double flux

The advisory said ransomware gangs like Hive and Nefilim use the tactic while Russian state-backed hacking group Gamaredon has deployed it to limit the effectiveness of IP blocking. 

Officials found two variants of fast flux in the wild. One, called “single flux” typically sees a single domain name linked to numerous IP addresses that are rotated. This “ensures that if one IP address is blocked or taken down, the domain remains accessible through the other IP addresses.”

One of the biggest issues defenders have faced is that this first tactic has legitimate purposes and is used by some companies for performance reasons. 

The second variant, called “double flux,” sees not only the IP addresses changing rapidly but also the DNS name servers responsible for resolving the domain. This provides malicious actors with an additional layer of redundancy and anonymity for malicious domains, according to the agencies. 

“Both techniques leverage a large number of compromised hosts, usually as a botnet from across the Internet that acts as proxies or relay points, making it difficult for network defenders to identify the malicious traffic and block or perform legal enforcement takedowns of the malicious infrastructure,” officials said. 

“Numerous malicious cyber actors have been reported using the fast flux technique to hide C2 channels and remain operational.”

Fortinet’s Aamir Lakhani said FortiGuard Labs saw some of the early botnets between 2007–2010 use fast flux to distribute malware and manage their command-and-control (C2) communications. 

“While the technique is older, it can still be effective. It’s not used as often as people think it is because it does require some work and knowledge from threat actors and there are much easier ways to conduct an attack,” Lakhani said. 

“But if they have the infrastructure already setup, or they can rent fairly cheaply, it is still a viable tool in the toolkit."

The advisory notes that bulletproof hosting services — many of which have been taken down or sanctioned by law enforcement in recent years — now attempt to differentiate themselves by offering fast flux services. 

Officials even shared a dark web post of a bulletproof hosting site marketing itself through its fast flux capabilities.