S3 Ep135: Sysadmin by day, extortionist by night

Muddling Meerkat Using DNS As A Powerful Weapon For Sophistication

[[{“value”:”

Hackers exploit DNS vulnerabilities to redirect users to malicious websites, launch distributed denial-of-service (DDoS) attacks by overwhelming DNS servers, and manipulate domain resolutions to intercept traffic for surveillance or data theft purposes.

Infoblox researchers recently revealed “Muddling Meerkat,” a highly sophisticated likely Chinese state actor able to manipulate China’s Great Firewall internet censorship system. 

This DNS-based threat bypasses security by generating massive distributed DNS query volumes propagated through open resolvers worldwide.

Document

Integrate ANY.RUN in Your Company for Effective Malware Analysis

Are you from SOC, Threat Research, or DFIR departments? If so, you can join an online community of 400,000 independent security researchers:

Real-time Detection
Interactive Malware Analysis
Easy to Learn by New Security Team members
Get detailed reports with maximum data
Set Up Virtual Machine in Linux & all Windows OS Versions
Interact with Malware Safely

If you want to test all these features now with completely free access to the sandbox:

Try ANY.RUN for FREE

Muddling Meerkat & Chinese Firewall

Leveraging its DNS expertise, Infoblox proactively discovered and blocked the actor’s domains to protect customers from this emerging cyber threat operating under China’s control of its national internet infrastructure.

Infoblox Threat Intel’s Dr. Renee Burton explained, “It was our unwavering focus on DNS data coupled with advanced data science and AI that enabled us to track down a Chinese-controlled DNS operator which we believe is behind the so-called ‘Muddling Meerkat’ campaign.” 

The nickname denotes the campaign’s mysterious nature and its elaborate use of open resolvers and MX records to hide its tactics. 

This discovery underscores for Infoblox customers the need for strong detection and response capabilities against such advanced threats based on DNS. 

Not only that, but this actor’s activity also shows a deep understanding of domain name system (DNS) operations, which illustrates the importance of securing them.

Muddling Meerkat has been active since 2019 and shows a very high-level attack on the DNS system. 

The Meerkat’s true intentions are currently unknown, but they seem to be related to reconnaissance. Initially, it was believed to be another type of slow-drip DDoS attack. 

82% of this year’s threats were stopped by patented technology and Zero Day DNS capabilities before they could even make their first query, which amounts to a total of 46 million indicators identified in 2023 at a rate equal to .0002 percent false positives per one million queries.

Here below, we have mentioned all the sophisticated things that threat actors do in their operations:-

To provoke reactions from the Great Firewall, they can use non-MX records within Chinese IP ranges that will be false to show how their strategy involves using national infrastructure in new ways.

It can also be done by sending DNS queries for MX records as well as other types of domain name system resource record sets, such as those under common top-level domains like “.com” and “.org,” which are not owned or controlled by the threat actors. This helps hide the true intentions.

Another method is employing old domains created before 2000 to pass off as regular traffic on the domain name service while bypassing detection mechanisms, which only look for recently registered ones, indicating a deeper understanding of how DNS works.

Muddling Meerkat appears to be a Chinese state actor, because we can observe MX record responses from Chinese IP addresses that are not open on port 53 of Muddling Meerkat target domains over multiple years, I am confident those responses are results of the GFW,” researchers said.

Combat Email Threats with Easy-to-Launch Phishing Simulations: Email Security Awareness Training -> Try Free Demo 

The post Muddling Meerkat Using DNS As A Powerful Weapon For Sophistication appeared first on Cyber Security News.

“}]]   Read More 

Cyber Security News 

Deep dive into the 2024 Incident Response Report with Unit 42’s Michael “Siko” Sikorski

This episode of Threat Vector outlines a conversation between host David Moulton, Director of Thought Leadership at Palo Alto Networks Unit 42, and Michael “Siko” Sikorski, Unit 42’s CTO and VP of Engineering, discussing the Unit 42’s 2024 Incident Response Report. They provide insights into key cyber threats and trends including preferred attack vectors, the escalating use of AI by threat actors, software vulnerabilities, the concept of ‘living off the land’ attacks, and the importance of robust incident response strategies. They also address the rising trend of business disruption, supply chain attacks, and share recommendations for mitigating these cyber threats.   Read More 

The CyberWire