ACSC issues alert about 'fast flux' threat

The Australian Cyber Security Centre (ACSC) has released an advisory about the ongoing threat of ‘fast flux’ techniques used by Bulletproof Hosting Providers (BPHs). BPHs use fast flux to disseminate malware and undertake phishing on behalf of cybercriminals.

Fast flux is a domain-based technique used by malicious cyber actors, characterised by rapidly changing the Domain Name System (DNS) records (such as IP addresses) associated with a single domain. The approach allows BPHs to cycle quickly through bots and DNS records to bypass detection by network defenders and law enforcement agencies.

It is possible to mitigate the risks associated with fast flux and maintain a secure environment by using a reputable Protective DNS (PDNS) provider that detects and blocks fast flux. Providers should track, share information about, and block fast flux as part of their provided cybersecurity services. Some providers may detect and block fast flux automatically, but many may not. To ensure optimal protection, ACSC encourages agencies and businesses to contact their provider to validate their coverage against fast flux.

Fast flux is commonly used for maintaining command-and-control (C2) communications, but it also can play a significant role in phishing campaigns to make social engineering websites harder to block or take down. Phishing is often the first step in a larger and more complex cyber compromise. Phishing is typically used to trick victims into revealing sensitive information (such as login passwords, credit card numbers and personal data), but can also be used to distribute malware or exploit system vulnerabilities. Similarly, fast flux is used for maintaining high availability for cybercriminal forums and marketplaces, making them resilient against law enforcement takedown efforts.

Some BPH providers promote fast flux as a service differentiator that increases the effectiveness of their clients’ malicious activities. For example, one BPH provider posted on a dark web forum that it protects clients from being added to Spamhaus blocklists by easily enabling the fast flux capability through a service management panel. The BPH provider further explained that numerous malicious activities beyond C2, including botnet managers, fake shops, credential stealers, viruses, spam mailers and others, could use fast flux to avoid identification and blocking.

Government agencies and businesses are urged to read the advisory and find out more to protect against fast flux. More information can also be found about how BPHs operate by reading the ACSC’s joint publication with the Australian Federal Police.

Image credit: iStock.com/Just_Super