Fast flux is a technique used by cybercriminals to increase their infrastructure's resilience by making law enforcement takedown of their servers and denylisting of their IP addresses harder. It is critical for these cybercriminals to maintain their networks' uptime to avoid losses to their revenue streams, including phishing and scam campaigns, botnet rental and illegal gambling operations.
Figure 1 contains samples of botnet takedowns and provides insight into their levels of success. The takedowns were not all fully successful. In some cases, the malicious actors (i.e., hackers, botnet creators and/or administrators) received leniency because they cooperated with authorities. In one instance, the bot creator was freed because of a loophole in the law (i.e., he did not attack his own country).1
DevicesDevices include servers, workstations, laptops, tablets, smartphones, etc. Acquisition, configuration, maintenance, encryption and operational policies need to be implemented and enforced for all devices. Configuration standards need to be defined and implemented for all digital devices. Individual devices should be protected by implementing secure configurations to harden the devices, maintaining mobile devices, and monitoring and controlling permitted/approved software/apps. Organizations need to have a process in place to ensure that only approved software is loaded onto their devices. If safeguards are not in place, organizations risk allowing malware onto the devices and into their network, providing an authorized access point for hackers, breaking copyright laws and more.
Tortoiseshell Facebook Attack CampaignOn July 15th, Facebook revealed it tracked and partially disrupted a long-running Iranian attack campaign that used accounts to pose as recruiters and draw in US targets before sending them malware-infected files or tricking them into entering sensitive credentials to phishing sites. Facebook stated that the attackers also pretended to work in hospitality, medicine, journalism, NGOs, or airlines, sometimes conversing with their targets for months with profiles across various social media platforms. Unlike a number of past cases of Iranian state-sponsored social media phishing that have focused on Iran's neighbors, this latest campaign appears to have largely targeted Americans and (to a lesser extent) British and European victims. Facebook stated it has removed \"fewer than 200\" fake profiles from its platforms as a result of the investigation, as well as notified roughly the same number of users that they had been targeted. The hackers behind the campaign have been identified as Tortoiseshell, which is believed to work on behalf of the Iranian government. The group, which has some loose ties and similarities to other Iranian APTs like APT34 and Charming Kitten, first came to light in 2019. At that time, Symantec observed the attackers breaching Saudi Arabian IT providers in an apparent supply chain attack designed to infect the customers with malware known as Syskit. Facebook has spotted that same malware being used in this most recent campaign, but this operation has a far broader set of infection techniques and targets outside of the Middle East. The social media platform says it tied the group's malware samples to a specific Iranian-based IT contractor called Mahak Rayan Afraz, which has previously provided malware to the IRGC, indicating a link between the Tortoiseshell group and the Iranian government. 1e1e36bf2d