April 29, 2024 at 10:00AM
Since October 2019, a new cyber threat, Muddling Meerkat, has used DNS activities to evade security measures and conduct network reconnaissance worldwide. Linked to China, the threat exploits DNS open resolvers and manipulates DNS queries from Chinese IP space. This sophisticated threat involves false MX record responses and may be part of an Internet mapping effort.
Based on the meeting notes, the main takeaways are:
1. A previously unknown cyber threat called Muddling Meerkat has been observed engaging in sophisticated DNS activities since October 2019, primarily to evade security measures and conduct network reconnaissance.
2. The threat actor is likely affiliated with the People’s Republic of China and may have the ability to control the Great Firewall to manipulate internet traffic.
3. The actor uses abuse of DNS open resolvers from Chinese IP space and triggers DNS queries for mail exchange and other record types to domains not owned by the actor but residing under well-known top-level domains.
4. Over 20 domains have been detected, many of which are super-aged domains registered prior to 2000, allowing the adversary to blend in with other DNS traffic and evade blocklists.
5. The actor also attempts to use servers in the Chinese IP address space to make DNS queries for random subdomains to IP addresses around the world.
6. The threat actor’s activity involves the injection of false MX record responses from Chinese IP addresses, which differs from the standard behavior of the Great Firewall.
7. The exact motivation behind the activity is unclear, potentially related to internet mapping or research efforts.
These are the key points from the meeting notes. Let me know if you need any further elaboration or if there’s anything else you’d like to be included.