Muddling\u00a0Meerkat utilizes sophisticated DNS activities, likely propagated by Chinese state actors, to bypass traditional security measures and probe networks worldwide With market-leading DNS expertise, backed by data science and AI, Infoblox Threat Intel hunts, tracks and stops threats lurking in DNS, up to 60+ days before other security tools Infoblox Threat Intel enables Infoblox BloxOne\u00ae\u00a0Threat Defense customers to see who and what connects to their network \u2013 disrupting threat actors’ operations and infrastructure pre-incident Infoblox introduces Zero Day DNS\u2122\u00a0feature that detects and blocks attacks launched from domains immediately used after registration as part of a zero trust model for DNS <\/p>\n
SANTA CLARA, Calif.<\/span>, April 29, 2024<\/span> \/PRNewswire\/ — Infoblox Inc.<\/a>, a leader in cloud networking and security services, today announced\u00a0that its threat intel researchers, in collaboration with external researchers, have uncovered “Muddling Meerkat,” a likely PRC state actor with the ability to control the Great Firewall (GFW) of China<\/span>, a system that censors and manipulates traffic entering and exiting China’s<\/span> internet. This DNS threat actor is particularly sophisticated in its ability to bypass traditional security measures, as it conducts operations by creating large volumes of widely distributed DNS queries that are subsequently propagated through the internet through open DNS resolvers. Infoblox leveraged its deep understanding and unique access to DNS to discover this cyberthreat, pre-incident, blocking its domains to ensure its customers are safe.<\/p>\n “Infoblox Threat Intel eats, sleeps, and breathes DNS data,” said Dr. Ren\u00e9e Burton, Vice President, Infoblox Threat Intel. “Our unrelenting focus on DNS, using cutting-edge data science and AI, has enabled our global team of threat hunters to be the first to discover Muddling Meerkat lurking in the shadows and produce critical threat intelligence for our customers. This actor’s complex operations demonstrates a strong understanding of DNS, stressing the importance of having a DNS detection and response (DNSDR) strategy in place to stop sophisticated threats like Muddling Meerkat.”<\/p>\n The moniker “Muddling Meerkat” was given to describe the actor as an animal that appears cute, but in reality it can be dangerous, living in a complex network of burrows underground, and out of view. From a technical perspective, “Meerkat” references the abuse of open resolvers, particularly through the use of DNS mail exchange (MX) records. “Muddling” refers to the bewildering nature of their operations.<\/p>\n With a deep understanding of and visibility into DNS, Infoblox Threat Intel can see attacker infrastructure as it’s created, stopping both known and emerging threats earlier. With 46M<\/span> unique threat indicators detected in 2023 and a practically non-existent false positive rate of 0.0002%, Infoblox Threat Intel detected 82% of threats before or at the first query thus far in 2024 leveraging our patent pending threat intelligence system along with Infoblox’s new Zero Day DNS capability. The threat actor, Muddling Meerkat, has been operating covertly since at least October 2019<\/span>. At first glance, its operations look like Slow Drip distributed denial-of-service (DDoS) attacks, however, it is unlikely DDoS is their ultimate goal. The motivation of the actor is unknown, though they may be performing reconnaissance or prepositioning for future attacks.<\/p>\n Muddling Meerkat demonstrates a sophisticated understanding of DNS that is uncommon among threat actors today – clearly pointing out that DNS is a powerful weapon leveraged by adversaries.<\/p>\n The research further shows that their operations:<\/p>\n Induce responses from the Great Firewall, including false\u00a0MX records from the Chinese IP address space. This highlights a novel use of national infrastructure as a fundamental part of their strategy. Trigger\u00a0DNS queries for MX and other record types to domains not owned by the actor, but which reside under well-known top-level domains such as .com and .org. This tactic highlights the use of distraction and obfuscation techniques to hide the real intended purpose. Utilize super-aged domains, typically registered prior to the year 2000, enabling the actor to blend in with other DNS traffic and avoid detection. This further highlights the threat actor’s understanding of both DNS and existing security controls. <\/p>\n The full report\u00a0on Muddling Meerkat can be found here<\/a>.<\/p>\n Infoblox Threat Intel Gets a Bold New Look, Demonstrating Industry-Leading Commitment to DNS Threat Intelligence<\/p>\n Infoblox Threat Intel is the leading creator of original DNS threat intelligence in the market today. The group, led by Dr. Ren\u00e9e Burton<\/a>, a 22-year veteran of NSA, is composed of researchers across five countries who have deep expertise in DNS, data science, ML\/AI, intelligence analysis, software reverse engineering, and malicious spam detection. Infoblox put a new focus on the team’s public identity<\/a> to distinguish itself from the sea of threat intel aggregators – highlighting its expertise in original DNS threat research.<\/p>\n Throughout the past year, Infoblox Threat Intel was the first to report other DNS threat actors, all of which had gone undetected for over a year by the rest of the industry. These include DNS C2 malware toolkit Decoy Dog<\/a>, malicious link shortening service provider Prolific Puma<\/a>, the most extensive known cybercriminal traffic distribution system VexTrio<\/a> Viper (aka VexTrio), and DNS CNAME redirection network provider Savvy Seahorse<\/a>. These publications represent a small fraction of the number of DNS threat actors Infoblox Threat Intel has discovered and are tracking.<\/p>\n “The sheer mass of threat actors effectively hiding in the DNS should be a wakeup call for every defender to make DNS threat intelligence an essential part of their strategy,” added Burton.\u00a0“Why? Because more than 92%2\u00a0of malware utilizes DNS.”<\/p>\n The most effective way to protect against these sophisticated threats is with DNS Detection and Response systems like Infoblox’s BloxOne\u00ae\u00a0Threat Defense<\/a>. Unlike other security solutions that are malware and post-event centric, Infoblox Threat Intel uses a multi-pronged approach to discover threats in DNS.<\/p>\n Introducing Zero Day DNS, the Newest Feature within BloxOne Threat Defense <\/p>\n Infoblox’s new cloud-based Zero Day DNS\u2122\u00a0augments the existing methods to detect and block possible threats from domains that are registered by threat actors just minutes to hours before being used in an attack. It is a zero trust model for DNS that leverages the extensive visibility Infoblox has to rapidly adjudicate hundreds of thousands of new domains in near real time every day.<\/p>\n While most domains are aged before they are used by attackers, Infoblox has discovered an alarming trend over the last 18 months, where threat actors register lookalike domains and immediately use them in targeted attacks. Zero Day DNS was designed specifically to address this risk.<\/p>\n Zero Day DNS is tailored to individual customer networks, providing a new form of custom threat intel for Infoblox BloxOne Threat Defense Advanced Cloud customers. This capability provides the earliest defense against spearphishing attacks, which were responsible for 66% of all data breaches in 2023 according to Barracuda Networks annual report on phishing trends.1\u00a0Initial results show that Zero Day DNS can detect novel threats without risk of blocking vital network access. Over 16% of the flagged domains were deemed malicious within 48 hours by other analytics.<\/p>\n “Zero Day DNS is not just a nice to have, but a strategic advantage in an environment where threat actors, particularly ransomware actors, are using a domain immediately after registration for spearphishing,” added Burton.<\/p>\n Meet Infoblox Threat Intel <\/p>\n Dr. Burton will discuss Muddling Meerkat at the RSA Conference in San Francisco<\/span>, May 6-9<\/span>. Live sessions will be held at Booth S-726.\u00a0Visit this here<\/a> to request a meeting with Infoblox at RSAC 2024.<\/p>\n Additionally, Dr. Burton is hosting a webinar titled: Infoblox Threat Intel \u2013 Disrupting Cybercrime Where it Begins \u2013 DNS, on May 8<\/span> at 10 am PDT<\/span>. Register to attend here<\/a>.<\/p>\n About Infoblox Media Contacts: 1 https:\/\/www.barracuda.com\/reports\/spear-phishing-trends-2023<\/a> \u00a0<\/p>\n
Infoblox unites networking and security to deliver unmatched performance and protection. Trusted by Fortune 100 companies and emerging innovators, we provide real-time visibility and control over who and what connects to your network, so your organization runs faster and stops threats earlier. Visit Infoblox.com<\/a>, or follow-us on LinkedIn<\/a>\u00a0or Twitter<\/a>.<\/p>\n
pr@infoblox.com<\/a>
infoblox@ruderfinn.com<\/a>\u00a0<\/p>\n
2\u00a0https:\/\/executivegov.com\/2020\/06\/anne-neuberger-on-nsas-secure-dns-pilot-program\/<\/a><\/p>\n
Infoblox discovers Muddling Meerkat – the Great Firewall Manipulator.<\/span> <\/div>\n