Infoblox Discovers DNS Operation Behind China’s Great Firewall
Infoblox Inc., a leader in cloud networking and security services, today announced that its threat intel researchers, in collaboration with external researchers, have uncovered “Muddling Meerkat,” a likely PRC state actor with the ability to control the Great Firewall (GFW) of China, a system that censors and manipulates traffic entering and exiting China’s internet. This DNS threat actor is particularly sophisticated in its ability to bypass traditional security measures, as it conducts operations by creating large volumes of widely distributed DNS queries that are subsequently propagated through the internet through open DNS resolvers. Infoblox leveraged its deep understanding and unique access to DNS to discover this cyber threat, pre-incident, blocking its domains to ensure its customers are safe.
“Infoblox Threat Intel eats, sleeps, and breathes DNS data,” said Dr. Renée Burton, Vice President, of Infoblox Threat Intel. “Our unrelenting focus on DNS, using cutting-edge data science and AI, has enabled our global team of threat hunters to be the first to discover Muddling Meerkat lurking in the shadows and produce critical threat intelligence for our customers. This actor’s complex operations demonstrates a strong understanding of DNS, stressing the importance of having a DNS detection and response (DNSDR) strategy in place to stop sophisticated threats like Muddling Meerkat.”
The moniker “Muddling Meerkat” was given to describe the actor as an animal that appears cute, but in reality, it can be dangerous, living in a complex network of burrows underground, and out of view. From a technical perspective, “Meerkat” references the abuse of open resolvers, particularly through the use of DNS mail exchange (MX) records. “Muddling” refers to the bewildering nature of their operations.
With a deep understanding of and visibility into DNS Infoblox Threat Intel can see attacker infrastructure as it’s created, stopping both known and emerging threats earlier. With 46M unique threat indicators detected in 2023 and a practically non-existent false positive rate of 0.0002%, Infoblox Threat Intel detected 82% of threats before or at the first query thus far in 2024 leveraging our patent pending threat intelligence system along with Infoblox’s new Zero Day DNS capability.
The threat actor, Muddling Meerkat, has been operating covertly since at least October 2019. At first glance, its operations look like Slow Drip distributed denial-of-service (DDoS) attacks, however, it is unlikely DDoS is their ultimate goal. The motivation of the actor is unknown, though they may be performing reconnaissance or prepositioning for future attacks.
Muddling Meerkat demonstrates a sophisticated understanding of DNS that is uncommon among threat actors today – clearly pointing out that DNS is a powerful weapon leveraged by adversaries.
The research further shows that their operations:
-
Induce responses from the Great Firewall, including false MX records from the Chinese IP address space. This highlights a novel use of national infrastructure as a fundamental part of their strategy.
-
Trigger DNS queries for MX and other record types to domains not owned by the actor but which reside under well-known top-level domains such as .com and .org. This tactic highlights the use of distraction and obfuscation techniques to hide the real intended purpose.
-
Utilize super-aged domains, typically registered prior to the year 2000, enabling the actor to blend in with other DNS traffic and avoid detection. This further highlights the threat actor’s understanding of both DNS and existing security controls.
The full report on Muddling Meerkat can be found here.
Infoblox Threat Intel Gets a Bold New Look, Demonstrating Industry-Leading Commitment to DNS Threat Intelligence
Infoblox Threat Intel is the leading creator of original DNS threat intelligence in the market today. The group, led by Dr. Renée Burton, a 22-year veteran of NSA, is composed of researchers across five countries who have deep expertise in DNS, data science, ML/AI, intelligence analysis, software reverse engineering, and malicious spam detection. Infoblox put a new focus on the team’s public identity to distinguish itself from the sea of threat intel aggregators – highlighting its expertise in original DNS threat research.
Throughout the past year, Infoblox Threat Intel was the first to report other DNS threat actors, all of which had gone undetected for over a year by the rest of the industry. These include DNS C2 malware toolkit Decoy Dog, malicious link shortening service provider Prolific Puma, the most extensive known cybercriminal traffic distribution system VexTrio Viper (aka VexTrio), and DNS CNAME redirection network provider Savvy Seahorse. These publications represent a small fraction of the number of DNS threat actors Infoblox Threat Intel has discovered and are tracking.
“The sheer mass of threat actors effectively hiding in the DNS should be a wakeup call for every defender to make DNS threat intelligence an essential part of their strategy,” added Burton. “Why? Because more than 92%2 of malware utilizes DNS.”
The most effective way to protect against these sophisticated threats is with DNS Detection and Response systems like Infoblox’s BloxOne® Threat Defense. Unlike other security solutions that are malware and post-event-centric, Infoblox Threat Intel uses a multi-pronged approach to discover threats in DNS.
Introducing Zero Day DNS, the Newest Feature within BloxOne Threat Defense
Infoblox’s new cloud-based Zero Day DNS™ augments the existing methods to detect and block possible threats from domains that are registered by threat actors just minutes to hours before being used in an attack. It is a zero-trust model for DNS that leverages the extensive visibility Infoblox has to rapidly adjudicate hundreds of thousands of new domains in near real-time every day.
While most domains are aged before they are used by attackers, Infoblox has discovered an alarming trend over the last 18 months, where threat actors register lookalike domains and immediately use them in targeted attacks. Zero Day DNS was designed specifically to address this risk.
Zero Day DNS is tailored to individual customer networks, providing a new form of custom threat intel for Infoblox BloxOne Threat Defense Advanced Cloud customers. This capability provides the earliest defense against spearphishing attacks, which were responsible for 66% of all data breaches in 2023 according to Barracuda Networks annual report on phishing trends.1 Initial results show that Zero Day DNS can detect novel threats without risk of blocking vital network access. Over 16% of the flagged domains were deemed malicious within 48 hours by other analytics.
“Zero Day DNS is not just a nice to have, but a strategic advantage in an environment where threat actors, particularly ransomware actors, are using a domain immediately after registration for spearphishing,” added Burton.