A technique that hostile national states and financially motivated ransomware groups are using to hide their operations raises a threat to critical infrastructure and national security, the National Security Agency warned.
The technique is known as fast flow. It allows decentralized networks operated by threat actors to hide their infrastructure and survive the elimination attempts that would otherwise be successful. Fast flow works by bicycle through a range of IP addresses and domain names that these botnets use to connect to the Internet. In some cases, IPS and domain names change every day or two; In other cases, they change almost per hour. The constant flow complicates the task of isolating the true origin of the infrastructure. It also provides redundancy. For when defenders block an address or domain, new ones have already been assigned.
A significant threat
“This technique raises a significant threat to national security, which allows malicious cyber actors to constantly evade detection”, the NSA, the FBI and its counterparts of Canada, Australia and New Zealand Warned Thursday. “Malicious cyber actors, including cybercriminals and state-state actors, use rapid flow to obfuscate the locations of malicious servers by quickly changing the records of the domain name system (DNS). In addition, they can create resistant command and control infrastructure (C2), highly available, which hides their subsequent malicious operations.”
A key means to achieve this is the use of DNS COMFORT REGISTRATIONS. These records define areas within the domain name system, which map the IP addresses. The bunned cause DNS searches for subdomains that do not exist, specifically by addressing MX records (mail exchange) used to designate mail servers. The result is the assignment of an IP attacker to a subdomain as malicious.example.com, although it does not exist.
#NSA #warns #FAST #FLX #threatens #national #security #rapid #flow
