• According to Infoblox, Muddling Meerkat generates high volumes of DNS queries distributed widely across the internet through open DNS resolvers.
  • Infoblox indicates that its renewed emphasis on the team’s public identity aims to set itself apart from the multitude of threat intelligence aggregators and emphasize its expertise in DNS threat research

Prior to last week’s RSA Conference, Infoblox Inc. unveiled “Muddling Meerkat” with the help of its threat intelligence researchers. They described it as “a likely PRC state actor with the ability to control the Great Firewall of China.”

The Great Firewall (GFW) regulates and manages internet traffic entering and leaving China. The company stated that the threat actor employed advanced methods to circumvent security measures. Therefore, Infoblox suggests that Muddling Meerkat “creates large volumes of widely distributed DNS queries that are subsequently propagated through the internet through open DNS resolvers.” Infoblox reported that its DNS access allowed it to detect the threat “prior to the incident” and preemptively block its domains to safeguard its customers.

During RSAC, the Vice President of Infoblox Threat Intel, Dr. Renée Burton, emphasized that the company’s primary focus was on its DNS data. She said to a leading media house, “Our unrelenting focus on DNS, using cutting-edge data science and AI, has enabled our global team of threat hunters to be the first to discover Muddling Meerkat lurking in the shadows and produce critical threat intelligence for our customers. This actor’s complex operations demonstrate a strong understanding of DNS, stressing the importance of having a DNS detection and response strategy to stop sophisticated threats like Muddling Meerkat.”

Burton also provided insights into the latest threat intelligence research on DNS conducted by the company specifically for the event. The findings underscored the crucial role of DNS in mitigating advanced threats. The research highlighted that an impressive 92% of malicious activities could be mitigated through DNS, with 60% of threats intercepted before the initial DNS query.

The fact that 3.5 million new malicious and suspicious domains are registered each month is the one statistic that highlights the significance of DNS security. Phishers frequently use these to trick unsuspecting individuals into clicking on malicious links and divulging personal or business information.

It’s Not a Delightful Animal

While a meerkat is typically viewed as adorable, Infoblox emphasized that it is far from cute. “In reality, it can be dangerous to live in a complex network of burrows underground and out of view,” the company stated in the announcement. “From a technical perspective, ‘Meerkat’ references the abuse of open resolvers, particularly through DNS mail exchange records. ‘Muddling’ refers to the bewildering nature of their operations.”

Infoblox stated that Meerkat demonstrates a sophisticated understanding of DNS within its intricate operations, an area where many threat actors struggle. This highlights the significant threat potential of DNS.

Eliciting Responses from the Great Firewall

The company’s inquiry reveals that Meerkat can trigger responses from China’s Great Firewall, such as fabricating mail exchange or MX records from within the Chinese IP address space — a notable exploitation of national infrastructure.

It can also initiate DNS queries for MX and various record types towards domains not controlled by the actor but within top-level domains such as .com and .org. Furthermore, by utilizing older domains, typically registered before the year 2000, the actor avoids detection by assimilating with other DNS traffic — once again, demonstrating a comprehension of DNS.

Infoblox Threat Intel Gets a Fresh Makeover

Simultaneously with the release of details about Muddling Meerkat, Infoblox unveiled a refreshed appearance for its Threat Intel division, led by Burton, a 22-year veteran of the NSA. Infoblox aims to set itself apart from the multitude of threat intel aggregators and showcase its expertise in DNS threat research through its team’s newly emphasized public identity.

The company highlighted its achievements over the past year, notably being the first to report several DNS threat actors that had gone undetected by other industry players for over a year. These include the DNS C2 malware toolkit Decoy Dog, the malicious link shortening service provider Prolific Puma, the cybercriminal traffic distribution system VexTrio Viper (also known as VexTrio), and the DNS CNAME redirection network provider Savvy Seahorse.

Zero Day DNS

The company also mentioned that its new Zero Day DNS will facilitate the identification and prevention of attacks originating from domains registered by threat actors before they can be utilized in an attack.

Burton said, “Zero Day DNS is not just a nice to have, but a strategic advantage in an environment where threat actors, particularly ransomware actors, are using a domain immediately after registration for spearphishing.”

As Infoblox monitors DNS-level data, it possesses insight into which top-level domain names are genuine and which are not. For instance, “Infoblox.com” is legitimate, whereas “lnfoblox.com,” with the “i” replaced by a lowercase “L,” is not. The disparities in the URL are subtle and difficult for users to discern. With Zero Day DNS, the approach is to block traffic if it is deemed likely malicious. It is preferable to err on the side of caution and block potentially harmful traffic rather than risk security breaches by allowing it through.

DNS Security Should be Widespread

Due to the effectiveness of firewalls and other perimeter security measures, threat actors have shifted their focus to targeting users through phishing attacks. Consequently, we anticipate a rise in such attacks, making it commendable that Infoblox is intensifying its research efforts to identify and mitigate these threats before they are unleashed.