Cybersecurity Advisory – Fast Flux: A National Security Threat

Impact: All FINRA Member Firms

FINRA member firms should be aware of a technique threat actors use to avoid network defenders detecting the required communications of malware. On April 3, 2025, the Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), Federal Bureau of Investigation (FBI), Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC), Canadian Centre for Cyber Security (CCCS) and New Zealand National Cyber Security Centre (NCSC-NZ) issued a joint cybersecurity advisory (CSA)¹ to warn organizations of the ongoing threat of one such technique: fast flux.

While the joint alert does not cite any specific incidents associated with specific threat actors or indicate a precise threat to the financial services industry,² we are issuing this Cybersecurity Advisory to alert members to the joint CSA and the effective practices it outlines that all organizations can implement to defend against fast flux-enabled malicious activity.

Summary

Per the joint CSA, when threat actors compromise devices and networks, the malware they use must send status updates and receive additional instructions. To avoid having these communications being detected as malicious or blocked, threat actors use dynamic resolution techniques like fast flux to disguise their activity.

As discussed in the CSA, fast flux is a domain-based technique that involves rapidly changing Domain Name System (DNS)³ records (e.g., IP addresses) associated with a single domain⁴—and threat actors use two common variants of fast flux to accomplish this: (1) single flux, in which a single domain name is linked to numerous IP addresses that are frequently rotated in DNS responses; and (2) double flux, which expands on single flux by frequently changing the name of the DNS servers responsible for resolving the domain.

The CSA points out that many networks currently contain gaps in their defenses against techniques such as fast flux.

Effective Practices to Protect Your Firm

To defend against fast flux, the joint CSA recommends that organizations coordinate with their Internet service providers, cybersecurity service providers or their Protective DNS services to:

• block access to domains identified as using fast flux through non-routable DNS responses or firewall rules;
• perform reputational filtering of fast flux-enabled malicious activity;
• implement enhanced monitoring and logging;
• conduct collaborative defense and information sharing; and
• engage in phishing awareness and training.

See the “Mitigations” section of the joint CSA for details on these recommendations.

By implementing robust detection and mitigation strategies, organizations may significantly reduce their risk of compromise by fast flux-enabled threats, thus bolstering their cyber defenses.

Additional Information

Questions related to this Cybersecurity Advisory or other cybersecurity-related topics can be emailed to the FINRA Cyber and Analytics Unit (CAU).

FINRA asks member firms to please report any critical system or business operations issues to your Risk Monitoring Analyst.

Both the FBI and CISA urge you to promptly report cyber incidents to a local FBI Field Office, the FBI Internet Crime Complaint Center (IC3) at IC3.gov, or CISA via CISA’s 24/7 Operations Center ([email protected] or 888-282-0870).

Note: This Advisory does not create new legal or regulatory requirements or new interpretations of existing requirements, nor does it relieve firms of any existing obligations under federal securities laws, regulations or FINRA rules. Member firms may consider the information in this Advisory in developing new, or modifying existing, policies and procedures that are reasonably designed to achieve compliance with relevant regulatory obligations based on the member firm’s size and business model. Moreover, some information may not be relevant due to certain firms’ business models, sizes or practices. 

FINRA delivers Cybersecurity Alerts and Advisories to the Chief Information Security Officer (CISO), Chief Compliance Officer (CCO) or Chief Risk Officer (CRO) contacts of FINRA member firms, as designated in FINRA Gateway. Firms should ensure their contact information is current; and if necessary, update it within FINRA Gateway.