April 29, 2024 at 04:27PM
A new cluster of activity known as “Muddling Meerkat” is linked to a Chinese state-sponsored threat actor manipulating global DNS systems since October 2019. Notable for its manipulation of MX records through China’s Great Firewall, the activity exhibits advanced capabilities to provoke false responses and prompt fake DNS queries. The purpose of this sophisticated behavior remains unclear.
Based on the meeting notes, the key takeaways are:
1. “Muddling Meerkat” is a new cluster of activity believed to be linked to a Chinese state-sponsored threat actor’s manipulation of DNS to probe networks globally since October 2019, with a spike in activity observed in September 2023.
2. The notable aspect of Muddling Meerkat’s activity is the manipulation of MX (Mail Exchange) records by injecting fake responses through China’s Great Firewall, which is an unusual and previously unseen behavior for the country’s internet censorship system.
3. The activity discovered by Infoblox demonstrates sophistication and advanced capabilities to manipulate global DNS systems and appears to not have a clear goal or motivation.
4. Muddling Meerkat manipulates DNS queries and responses, targeting the mechanism by which resolvers return the IP addresses. Their activities may include provoking false MX record responses to potentially misdirect emails.
5. Muddling Meerkat’s activities involve exploiting open resolvers, making DNS requests for random subdomains of target domains, and engaging with both authoritative and recursive resolvers.
6. The threat actor chooses target domains with short names registered before 2000, making them less likely to be on DNS blocklists.
7. It is speculated that Muddling Meerkat might be mapping networks and evaluating their DNS security to plan future attacks, or their goal could be to create DNS “noise” to hide more malicious activities.
8. The Infoblox report provides a complete list of Muddling Meerkat indicators of compromise (IoCs) and techniques, tactics, and procedures (TTPs), including lists of domains that can be blocked without significant impact.
These takeaways summarize and bring out the key points discussed in the meeting notes.