Recent reports from cybersecurity researchers at Infoblox have highlighted renewed activity from a group known as Muddling Meerkat, believed to be linked to Chinese state-sponsored actors. This resurgence has sparked concerns about potential cyber threats on a global scale.
Muddling Meerkat, initially identified in 2019 and dormant until September last year, has resurfaced with a focus on manipulating key internet infrastructure, including global DNS (Domain Name System) and mail exchange (MX) records. DNS is crucial for translating domain names into IP addresses, facilitating internet access, while MX records manage email routing.
A new cluster of activity tracked as “Muddling Meerkat” is believed to be linked to a Chinese state-sponsored threat actor’s manipulation of DNS to probe networks globally since October 2019, with a spike in activity observed in September 2023. The group’s tactics involve exploiting the Great Firewall (GFW) of China, known for internet censorship, to inject fake responses into DNS queries, a behavior not typically associated with the GFW’s functions.
A notable aspect of Muddling Meerkat’s activity is the manipulation of MX (Mail Exchange) records by injecting fake responses through China’s Great Firewall (GFW), an unusual and previously unseen behavior for the country’s internet censorship system. Discovered by Infoblox, the activity does not have a clear goal or motivation but demonstrates sophistication and advanced capabilities to manipulate global DNS systems.
DNS
DNS is an essential functional component of the internet, translating human-readable domain names into IP addresses that computers use to identify each other on the network and establish connections. By looking into massive volumes of DNS data, Infoblox researchers discovered an activity they say could easily fly under the radar or be mistaken for innocuous. Muddling Meerkat manipulates DNS queries and responses by targeting the mechanism by which resolvers return the IP addresses. For instance, they can provoke false MX record responses from the GFW to fiddle with the routing and potentially misdirect emails.
The Great Firewall’s function is typically to filter and block content by intercepting DNS queries and providing invalid responses, redirecting users away from certain sites. Muddling Meerkat’s activities cause it to issue fake responses that serve objectives such as testing the resilience and behavior of other networks.
To further obfuscate their activities, Muddling Meerkat makes DNS requests for random subdomains of their target domains, which often don’t exist. Though this resembles an attack named “Slow Drip DDoS,” Infoblox notes that in Muddling Meerkat’s case, the queries are small in scale and aimed at testing rather than disruption. The threat actor also exploits open resolvers to obfuscate their activity and engages with both authoritative and recursive resolvers.
Purpose
Infoblox reports that Muddling Meerkat chooses target domains with short names registered before 2000, making them less likely to be on DNS blocklists.
As for the purpose of the activity, Muddling Meerkat might be mapping networks and evaluating their DNS security to plan future attacks, or their goal could be to create DNS “noise,” which can help hide more malicious activities and confuse admins who attempt to pinpoint the source of anomalous DNS requests.
The Infoblox report provides a complete list of Muddling Meerkat indicators of compromise (IoCs) and techniques, tactics, and procedures (TTPs), including lists of domains that can be blocked without significant impact due to hosting no website, hosting illegal content, or being parked.The complexity of these maneuvers, involving both the GFW and another system known as the Great Cannon (GC), reflects sophisticated cyber capabilities. The GC operates as an intermediary, modifying data packets in transit, adding another layer of potential disruption.
The ultimate goal of Muddling Meerkat remains unclear. It could be mapping networks for future attacks or creating DNS distractions to conceal larger-scale cyber assaults. Regardless of intent, these developments underscore the ongoing challenges in securing global internet infrastructure against state-sponsored cyber threats.
Source: Techradar, Bleepingcomputer
