On April 3, 2025, the Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), Federal Bureau of Investigation (FBI), Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC), Canadian Centre for Cyber Security (CCCS), and New Zealand National Cyber Security Centre (NCSC-NZ) released a joint cybersecurity advisory (CSA) to warn organizations, Internet service providers (ISPs), and cybersecurity service providers of the ongoing threat of fast flux enabled malicious activities as a defensive gap in many networks.

The advisory provides an overview of the fast flux technique where malicious actors rapidly change the Domain Name System (DNS) records of a domain to avoid detection and blockages. This technique, which involves rotating IP addresses (single flux) or changing DNS name servers (double flux), helps attackers maintain control over compromised devices or systems, making their malicious operations harder to track and disrupt.

Various malware families and adversaries use this technique, with the advisory specifically mentioning Hive and Nefilim ransomware. AttackIQ has previously published emulations based on both Hive and Nefilim ransomware activities. AttackIQ recommends the use of these two emulations to start testing:

[US-CERT AA22-321A] #StopRansomware: Hive Ransomware

This emulation was released as a response to the CISA Advisory AA22-321A on November 18, 2022, and contains the tactics, techniques, and procedures (TTPs) observed in attacks carried out by Hive ransomware.

Nefilim Ransomware – 2021-06 – Complete Infection Chain

This emulation was released on July 11, 2024, by AttackIQ to emulate the behaviors exhibited by the extortionist Nefilim ransomware during activities against multiple organizations, primarily based in North or South America, distributed in the financial, manufacturing, or transportation industries since its emergence in March 2020.

Detection and Mitigation Opportunities

The advisory includes recommendations for mitigating the threat posed by fast flux:

1. Enhanced DNS Detection: Organizations, particularly those providing DNS services, are encouraged to adopt detection mechanisms that can identify and mitigate fast flux activities.
2. Collaboration: The advisory calls for improved collaboration between government entities, private sector companies, and international partners. This coordination is essential in tracking and disrupting malicious infrastructure.
3. Use of Protective DNS (PDNS): Organizations are encouraged to implement Protective DNS solutions that can block access to malicious domains in real-time. PDNS can help protect users by filtering out requests to known harmful addresses.
4. Threat Intelligence Sharing: Sharing threat intelligence, including indicators of compromise (IOCs) related to fast flux infrastructure, is essential for a more effective defense.
5. Botnet Takedowns: The advisory emphasizes ongoing efforts to disrupt and dismantle botnets that rely on fast flux techniques.

AttackIQ strongly recommends reviewing and following CISA’s recommendations, provided in the advisory, to aid in detecting and mitigating fast flux activity. These steps can help organizations identify and mitigate the risks associated with fast flux networks and improve overall cybersecurity posture.

Wrap-up

In summary, fast flux techniques pose a significant challenge to cybersecurity by allowing attackers to rapidly change domain names and IP addresses, making it difficult to track and disrupt malicious activity. This advisory specifically highlights the use of fast flux by ransomware groups such as Hive and Nefilim.

AttackIQ recommends running the previously released emulations for Hive and Nefilim ransomware, as well as following CISA’s recommendations. Adopting these strategies will help organizations strengthen their defenses and better protect against this ongoing and dynamic cybersecurity threat.