“Fast Flux” Threatens National Security, CISA Issues Advisory
On April 2nd, CISA issued a joint Cybersecurity Advisory that highlights the malicious technique “fast flux” poses. Fast flux is a technique meant to aid threat actors in avoiding detection by “obfuscating the locations of malicious servers by rapidly changing Domain Name System (DNS) records.” This method allows them to “create resilient and highly available command and control (C2) infrastructures, complicating efforts to track and block malicious activities.”
Variants of Fast Flux
- Single Flux: Associates a single domain name with numerous IP addresses that are frequently rotated in DNS responses. This ensures that if one IP address is blocked or taken down, the domain remains accessible through other IP addresses.
- Double Flux: Involves not only rapidly changing IP addresses but also frequently altering the DNS name servers responsible for resolving the domain. This adds an extra layer of redundancy and anonymity for malicious domains.
Recommendations for Mitigation:
- Implement multi-layered detection strategies combining DNS analysis, network monitoring, and threat intelligence.
- Utilize Protective DNS (PDNS) services that can detect and block fast flux activities.
- Collaborate with ISPs and cybersecurity service providers to develop scalable solutions to address this threat.
Multiple Vulnerabilities in Google Chrome
Could Allow for Arbitrary Code Execution
Multiple vulnerabilities have been discovered in Google Chrome, the most severe of which could allow for arbitrary code execution. Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution in the context of the logged-on user. Depending on the privileges associated with the user an attacker could install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those with administrative user rights.
Affected Systems:
- Chrome prior to 134.0.6998.177/178 for Windows
Risk:
- Large and medium business entities: High
- Small business entities: Medium
Remediation Recommendations
- Ensure all devices using Google Chrome have the latest version(s) installed
- Enact the Principle of Least Privilege (limit higher-level privileges to only the users that need it)
References
Multiple Vulnerabilities in Mozilla Products
Could Allow for Arbitrary Code Execution
Multiple vulnerabilities have been discovered in Mozilla Products, the most severe of which could allow for arbitrary code execution. Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution in the context of the logged-on user. Depending on the privileges associated with the user, an attacker could install programs; view, change, or delete data; or create new accounts with full user rights.
Affected Systems:
- Firefox versions prior to 137
- Thunderbird versions prior to ESR 128.9
- Thunderbird versions prior to 137
- Firefox ESR versions prior to 128.9
- Firefox ESR versions prior to 115.22
Risk:
- Large and medium business entities: High
- Small business entities: Medium
Remediation Recommendations
- Ensure all Mozilla products are updated to their latest versions
- Enact the Principle of Least Privilege (limit higher-level privileges to only the users that need it)
References
Attackers Exploit Critical CrushFTP Vulnerability
Following Disclosure Mix-Up
Outpost24 has published a blog post on the "disclosure mess" surrounding a critical vulnerability (CVE-2025-31161) affecting the CrushFTP file transfer service, which is now being exploited in attacks. CrushFTP issued a patch for the flaw on March 21st, while a CVE identifier was still pending with MITRE. Several days later, vulnerability intelligence firm VulnCheck, which is a CVE Numbering Authority, gave the flaw the identifier CVE-2025-2825. Outpost24, which discovered and responsibly disclosed the flaw, had agreed to wait 90 days before disclosing details, but other security firms began analyzing the issue following VulnCheck's classification. A proof-of-concept exploit is now available. MITRE assigned the vulnerability the identifier CVE-2025-31161 on March 27th.
Outpost24 states, "The vulnerability is now being exploited by remote attackers, who are using it to gain unauthenticated access to devices running unpatched versions of CrushFTP v10 or v11. There have been over 1,500 vulnerable instances exposed online. The threat is particularly concerning as file transfer products like CrushFTP are often targeted by ransomware gangs. CrushFTP has released patches to address the issue, and the recommended action is to immediately update to version 10.8.4 or 11.3.1 and later."
China-Linked Threat Actor Exploits
Ivanti Connect Secure Vulnerability
Mandiant warns that a China-aligned threat actor is actively exploiting a critical vulnerability (CVE-2025-22457) affecting Ivanti Connect Secure, which was patched in February. The threat actor is using the flaw to deploy the TRAILBLAZE, BRUSHFIRE, and SPAWN malware families.
Mandiant notes, "A patch for CVE-2025-22457 was released in ICS 22.7R2.6 on February 11, 2025. The vulnerability is a buffer overflow with a limited character space, and therefore it was initially believed to be a low-risk denial-of-service vulnerability. We assess it is likely the threat actor studied the patch for the vulnerability in ICS 22.7R2.6 and uncovered through a complicated process, it was possible to exploit 22.7R2.5 and earlier to achieve remote code execution."
