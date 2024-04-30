



Infoblox announced that its threat intelligence researchers, in collaboration with external researchers, discovered Muddling Meerkat, a likely PRC state actor capable of controlling China's Great Firewall (GFW) , a system that censors and manipulates traffic entering and exiting the Internet in China. . This Domain Name System (DNS) threat actor is particularly sophisticated in its ability to bypass traditional security measures because it conducts its operations by creating large volumes of widely distributed DNS queries that are then propagated across the Internet via resolvers. Open DNS. Infoblox leveraged its deep understanding and unique access to DNS to uncover this cyber threat, prior to the incident, blocking its domains to ensure the security of its customers. Download the report here. Infoblox Threat Intel eats, sleeps and breathes DNS data, said Dr. Rene Burton, vice president of Infoblox Threat Intel. Our continued focus on DNS, using cutting-edge data science and AI, has enabled our global team of threat hunters to be the first to discover the Muddling Meerkat lurking in the shadows and produce critical threat intelligence for our customers. The complex operations of these actors demonstrate a solid understanding of DNS, highlighting the importance of having a DNS Detection and Response (DNSDR) strategy in place to stop sophisticated threats such as Muddling Meerkat. The nickname Muddling Meerkat was given to describe the actor as an animal that seems cute, but in reality can be dangerous, living in a complex network of burrows underground and out of sight. From a technical perspective, Meerkat refers to the abuse of open resolvers, particularly through the use of DNS mail Exchange (MX) records. Confusion refers to the confusing nature of their operations. With deep understanding and visibility into Infoblox DNS threats, Intel can detect attackers' infrastructure as it is created, blocking known and emerging threats sooner. With 46 million unique threat indicators detected in 2023 and a virtually non-existent false positive rate of 0.0002 percent, Infoblox Threat Intel has detected 82 percent of threats before or on first query so far in 2024 in leveraging our patent-pending threat intelligence system. with Infoblox's new Zero Day DNS feature. The malicious actor, Muddling Meerkat, has been operating covertly since at least October 2019. At first glance, its operations resemble Slow Drip distributed denial of service (DDoS) attacks, but it is unlikely that DDoS is their ultimate goal. The actor's motivation is unknown, although it may be performing reconnaissance or prepositioning for future attacks. Muddling Meerkat demonstrates a sophisticated understanding of DNS that is rare among threat actors today, clearly highlighting that DNS is a powerful weapon used by adversaries. The research further shows that their operations: Induce Great Firewall responses, including fake MX records originating from the Chinese IP address space. This highlights a new use of national infrastructure as a fundamental element of their strategy.

Trigger DNS queries for mail exchange (MX) and other types of records to domains not owned by the actor but that reside under well-known top-level domains such as .com and .org . This tactic highlights the use of distraction and obfuscation techniques to hide the true objective sought.

Use very old domains, typically registered before the year 2000, allowing the actor to blend in with other DNS traffic and avoid detection. This highlights threat actors’ understanding of DNS and existing security controls.

