Before last week’s RSA Conference, Infoblox Inc. announced that its threat intel researchers uncovered “Muddling Meerkat,” which it characterizes as “a likely PRC state actor with the ability to control the Great Firewall of China.”
The GFW censors and controls internet traffic entering and exiting China. The company said the threat actor used sophisticated techniques to bypass security. As such, according to Infoblox, Muddling Meerkat “creates large volumes of widely distributed DNS queries that are subsequently propagated through the internet through open DNS resolvers.” Infoblox said its DNS access enabled it to discover the threat “pre-incident” and block its domains to protect its customers.
At RSAC, I met with Dr. Renée Burton, Vice President of Infoblox Threat Intel, who said the company DNS data was the company’s focus. “Our unrelenting focus on DNS, using cutting-edge data science and AI, has enabled our global team of threat hunters to be the first to discover Muddling Meerkat lurking in the shadows and produce critical threat intelligence for our customers,” she said. “This actor’s complex operations demonstrate a strong understanding of DNS, stressing the importance of having a DNS detection and response strategy to stop sophisticated threats like Muddling Meerkat.”
Burton also walked me through some recent DNS-related threat intelligence research the company just completed for the show. The data showed the importance of DNS in stopping advanced threats. The research found that a whopping 92% of malicious activity can be blocked using DNS, and 60% of threats can be blocked before the first DNS query occurs.
The one data point that punctuated the role of DNS security is that 3.5 million new malicious and suspicious domains are created monthly. These are widely used by phishers to lure inspecting people into clicking on bad links and giving up personal or company information.
It’s not an adorable animal
Although a meerkat might be considered adorable, Infoblox said it is anything but cute. “In reality, it can be dangerous to live in a complex network of burrows underground and out of view,” the company wrote in the announcement. “From a technical perspective, ‘Meerkat’ references the abuse of open resolvers, particularly through DNS mail exchange records. ‘Muddling’ refers to the bewildering nature of their operations.”
Infoblox said Meerkat, in its murky machinations, exhibits a nuanced grasp of DNS, a domain where most threat actors falter. And it underscores that DNS can be a potent threat.
Prompting reactions from the Great Firewall
The company’s investigation shows that Meerkat can prompt reactions from China’s Great Firewall, including fabricating mail exchange or MX records from the Chinese IP address space — an interesting exploitation of national infrastructure.
It can also prompt DNS inquiries for MX and assorted record varieties toward domains not under the actor’s control but within top-level domains like .com and .org. In addition, by employing old domains, usually registered before the turn of the millennium, the actor evades detection by blending in with other DNS traffic — again, showing an understanding of DNS.
New look for Infoblox Threat Intel
At the same time it released information about Muddling Meerkat, Infoblox also announced a new look for its Threat Intel unit, led by Burton, a 22-year veteran of the NSA. Infoblox says its new focus on the team’s public identity is intended to distinguish itself from the sea of threat intel aggregators and highlight its DNS threat research expertise.
The company touted its discoveries of the past year, including being the first to report other DNS threat actors that were undetected by other industry players for more than a year, including DNS C2 malware toolkit Decoy Dog, malicious link shortening service provider Prolific Puma, cybercriminal traffic distribution system VexTrio Viper (aka VexTrio), and DNS CNAME redirection network provider Savvy Seahorse.
Zero Day DNS
The company also said its new Zero Day DNS will enable the detection and blocking of attacks from threat actor-registered domains before they can be used as part of an attack.
“Zero Day DNS is not just a nice to have, but a strategic advantage in an environment where threat actors, particularly ransomware actors, are using a domain immediately after registration for spearphishing,” Burton said.
Because Infoblox monitors DNS-level information, it has a good idea of which top-level domain names are legitimate and which ones are not. A basic example is “Infoblox.com,” which is legitimate, but lnfoblox.com, where the “i” was replaced with a lowercase “L,” is not. In the URL line, the differences are negligible and challenging for a user to see. With Zero Day DNS, the thesis, if the traffic is likely malicious, then block it. It’s easier to be wrong and let it through after than the opposite where security operations is dealing with a breach.
DNS security should be ubiquitous
For years, I have maintained that DNS security should be as widely deployed as firewalls. It’s the biggest “no-brainer” security tool, as it eliminates many threats before they ever get close to the company network.
Firewalls and other perimeter security have become so effective that threat actors have been forced to direct attacks at the user through phishing. We should expect to see an increase in these kinds of attacks, and it’s good that Infoblox is now doing so much research to find these types of threats before they are unleashed.