China-Linked 'Muddling Meerkat' Hijacks DNS to Map Internet on Global Scale

A newly discovered cyber threat known as Muddling Meerkat has been actively engaging in sophisticated DNS activities since October 2019. This threat is believed to have affiliations with the People's Republic of China due to its utilization of DNS open resolvers from Chinese IP space and its potential control over the Great Firewall, which is known for censoring internet access and manipulating internet traffic in and out of China.

Muddling Meerkat's operations involve intricate DNS manipulations aimed at evading security measures and conducting reconnaissance on networks globally. The threat actor leverages DNS queries for various record types, particularly mail exchange records, directed at domains not under their control but hosted under prominent top-level domains like .com and .org. These domains include super-aged ones registered before 2000, allowing the threat actor to blend their activities with legitimate DNS traffic and avoid detection through common blocklists.

Security Officer Comments:
Researchers note that Muddling Meerkat’s use of false MX record responses originating from Chinese IP addresses. This behavior, while reminiscent of tactics employed by the GFW, differs in that the responses contain properly formatted MX resource records instead of IPv4 addresses. This unique tactic sets Muddling Meerkat apart and showcases its advanced understanding of DNS and evasion techniques.

The exact purpose behind Muddling Meerkat’s prolonged DNS activities remains ambiguous. While it’s speculated to be part of an internet mapping or research initiative, the threat’s sophistication and ability to manipulate DNS traffic raise concerns about potential cyber threats and espionage activities.

Suggested Corrections:
Researchers highlight potential network vulnerabilities that arise from neglect and the complexity of modern internet communications. In particular, and recommend the following network administrators:
  • Actively seek out and eliminate open resolvers in their networks. Identifying these devices can be challenging, but companies like Infoblox and organizations like the Shadow Server Foundation can offer critical information to help.
  • Do not use domains that you do not own for Active Directory or DNS search domains. You are very likely to leak information about your network and user applications to the authoritative name server, as well to other appliances outside of your control. This kind of information can allow a bad actor to perform passive reconnaissance of the network for targeted attacks.
  • Incorporate DNS detection and response (DNSDR) into your security stack. Only a DNS resolver can effectively handle threats that are inherently in DNS. Most security products won’t even recognize the difference between an MX query and an A record query.
  • Report Muddling Meerkat activity to the community. Because it is impossible to observe the entire scope from any one vantage point, it is important to crowdsource an understanding of this threat. In particular, reporting additional Muddling Meerkat domains will help others find open resolvers and activity in their network.
Indicators of Activity: