According to findings from cloud security firm Infoblox, the threat actor behind Muddling Meerkat is believed to have ties to the People’s Republic of China (PRC) and possesses the capability to influence the Great Firewall (GFW), a system used for internet censorship and traffic manipulation within China
A newly identified cyber threat, dubbed “Muddling Meerkat,” has emerged, showcasing sophisticated domain name system (DNS) activities since October 2019. This threat has been observed engaging in reconnaissance of networks globally, employing tactics aimed at evading security measures.
According to findings from cloud security firm Infoblox, the threat actor behind Muddling Meerkat is believed to have ties to the People’s Republic of China (PRC) and possesses the capability to influence the Great Firewall (GFW), a system used for internet censorship and traffic manipulation within China.
The name “Muddling Meerkat” reflects the intricate and puzzling nature of the operations conducted by this threat actor. They exploit DNS open resolvers, which are servers that accept queries from any IP address, particularly from within the Chinese IP space. This allows them to execute DNS queries for various record types, including mail exchange (MX), targeting domains not under their control but residing within well-known top-level domains such as .com and .org.
Infoblox, which first identified the threat through anomalous DNS MX record requests, has detected over 20 such domains affected by Muddling Meerkat’s activities. Dr. Renée Burton, Infoblox’s vice president of threat intelligence, emphasized the actor’s sophisticated understanding of DNS, describing it as a potent tool wielded by adversaries.
The unique aspect of Muddling Meerkat’s behavior lies in its generation of false MX record responses from Chinese IP addresses. Unlike typical actions of the Great Firewall, which inject fake DNS responses containing invalid IP addresses, Muddling Meerkat’s responses include properly formatted MX resource records.
The motive behind Muddling Meerkat’s sustained activity over multiple years remains unclear. While it’s speculated to be part of an internet mapping effort or research endeavor, the full scope of its operations is yet to be fully understood.
Dr. Burton highlighted the challenge posed by Muddling Meerkat’s operations, stressing the difficulty in comprehending such intricate DNS activities compared to conventional malware. Government agencies like CISA and the FBI have cautioned about undetected Chinese prepositioning operations, underscoring the need for vigilance in the face of opaque threats.
The emergence of Muddling Meerkat underscores the evolving landscape of cyber threats, with actors demonstrating increasingly sophisticated tactics to navigate security measures and carry out clandestine activities on a global scale.
