Infoblox has announced that its threat intel researchers, in collaboration with external researchers, have uncovered “Muddling Meerkat,” a likely PRC state actor with the ability to control the Great Firewall (GFW) of China, a system that censors and manipulates traffic entering and exiting China’s internet. This DNS threat actor is particularly sophisticated in its ability to bypass traditional security measures, as it conducts operations by creating large volumes of widely distributed DNS queries that are subsequently propagated through the internet through open DNS resolvers. Infoblox leveraged its deep understanding and unique access to DNS to discover this cyber threat, pre-incident, blocking its domains to ensure its customers are safe.

“Infoblox Threat Intel eats, sleeps, and breathes DNS data,” said Dr. Renée Burton, Vice President, Infoblox Threat Intel. “Our unrelenting focus on DNS, using cutting-edge data science and AI, has enabled our global team of threat hunters to be the first to discover Muddling Meerkat lurking in the shadows and produce critical threat intelligence for our customers. This actor’s complex operations demonstrate a strong understanding of DNS, stressing the importance of having a DNS detection and response (DNSDR) strategy in place to stop sophisticated threats like Muddling Meerkat.”

The moniker “Muddling Meerkat” was given to describe the actor as an animal that appears cute, but in reality, it can be dangerous, living in a complex network of burrows underground, and out of view. From a technical perspective, “Meerkat” references the abuse of open resolvers, particularly through the use of DNS mail exchange (MX) records. “Muddling” refers to the bewildering nature of their operations.

With a deep understanding of and visibility into DNS Infoblox Threat Intel can see attacker infrastructure as it’s created, stopping both known and emerging threats earlier. With 46M unique threat indicators detected in 2023 and a practically non-existent false positive rate of 0.0002%, Infoblox Threat Intel detected 82% of threats before or at the first query thus far in 2024 leveraging our patent pending threat intelligence system along with Infoblox’s new Zero Day DNS capability.

The threat actor, Muddling Meerkat, has been operating covertly since at least October 2019. At first glance, its operations look like Slow Drip distributed denial-of-service (DDoS) attacks, however, it is unlikely DDoS is their ultimate goal. The motivation of the actor is unknown, though they may be performing reconnaissance or prepositioning for future attacks.

Muddling Meerkat demonstrates a sophisticated understanding of DNS that is uncommon among threat actors today – clearly pointing out that DNS is a powerful weapon leveraged by adversaries.

The research further shows that their operations:

1. Induce responses from the Great Firewall, including false MX records from the Chinese IP address space. This highlights a novel use of national infrastructure as a fundamental part of their strategy.
2. Trigger DNS queries for MX and other record types to domains not owned by the actor but which reside under well-known top-level domains such as .com and .org. This tactic highlights the use of distraction and obfuscation techniques to hide the real intended purpose.
3. Utilize super-aged domains, typically registered prior to the year 2000, enabling the actor to blend in with other DNS traffic and avoid detection. This further highlights the threat actor’s understanding of both DNS and existing security controls.

The full report on Muddling Meerkat, can be downloaded below:

Anomali is strengthening its presence in the Middle East region by expanding its initiatives in the United Arab Emirates (UAE) and the Kingdom of Saudi Arabia (KSA). With a focus on innovation and collaboration, Anomali says it is set to revolutionise the cybersecurity landscape through strategic partnerships with key stakeholders in both markets.

In KSA, Anomali is expanding its investment by establishing a wholly-owned subsidiary, reaffirming its commitment to fortify critical infrastructure and businesses against escalating cybersecurity risks. Dr. Rubaie, along with local executives and key partners, is hosting celebration events in Riyadh on April 29 and Dammam on April 30, engaging with stakeholders from various sectors, including oil and gas, banking, government, utilities and telecommunications.

Highlighting the significance of strategic partnerships in KSA, Anomali is collaborating with renowned companies such as StarLink and Cyberani. StarLink is a leading cybersecurity solutions provider in the region, offering innovative technologies and comprehensive services to businesses across various industries. Cyberani, backed by Saudi Aramco, is a pioneering digital solutions provider, specializing in cybersecurity and digital transformation services tailored to the unique needs of the Saudi market.

Speaking about the expansion in KSA, Dr. Rubaie emphasised the kingdom’s rapid technology adoption and the pressing need for advanced security measures. “Our continued investment in Saudi Arabia reflects our proactive approach to addressing evolving cybersecurity challenges and supporting the Kingdom’s digital agenda,” he said.

Both in the UAE and KSA, Anomali emphasises the importance of thinking differently in 2024, urging security leaders to pivot towards automation and advanced security analytics. With its innovative approach and cloud-native capabilities, Anomali aims to empower organizations to protect their businesses effectively while driving productivity and efficiency.

In the UAE, Anomali unveils its latest innovation designed to assist customers in deploying a differentiated multi-lingual Copilot, enhancing security analytics solutions with unprecedented speed, scale and performance while optimizing costs. Dr. Ahmed Rubaie, CEO of Anomali, is spearheading a “Be Different” roadshow, culminating in a celebration event in Dubai on May 1, in collaboration with strategic partner StarLink.

Dr. Rubaie said, “With the region’s geopolitical significance and rapid digitization, there’s an urgent need for advanced security measures. Anomali is excited to introduce a ‘different’ way of managing security operations, aligning with the UAE’s emphasis on innovation and productivity.”

Ensuring that mission-critical services over broadband networks are actually mission-critical is a complex process. First responders and other users of critical communications services need to have full trust in their voice, video and data applications in what could be life-threatening situations. To ensure this trust, the Global Certification Forum (GCF) is working together with TCCA to develop an industry certification program for mission-critical products and solutions where conformance to 3GPP standards will be checked and verified and thus ensure interoperability between different solution providers.

The work on establishing this certification program will progress at a dedicated workshop on May 17, following Critical Communications World in Dubai, which takes place from May 14 -16. This workshop, the third in the series, will aim to gather input to the future development of the MCX certification programme, and due to its location and timing, will provide an opportunity to hear from local stakeholders to understand regional requirements and ensure alignment with industry. Hosted by TCCA member Airbus in Dubai, the workshop is open to all GCF and TCCA members, and to non-members subject to approval.

GCF and TCCA have established a permanent Mission Critical Services Workstream (MCS WS) within the GCF. This comprises key industry players and subject matter experts from GCF and TCCA member companies, who are in the process of developing the key requirements for testing mission-critical services, as well as defining the policies and procedures for the certification program. The team has established testing scope for both Conformance Testing and Field Trials testing and is working to develop Interoperability and Performance testing criteria.

The MCS certification program will ensure that the dependability and resilience that are core characteristics of narrowband services such as TETRA are carried forward into the 4G/5G ecosystem. In 1999, TCCA created and continues to manage the world-leading TETRA Interoperability (IOP) process that underpins the continued success of TETRA around the world. GCF has more than 25 years of best practices in managing the certification of wireless products for the telecoms industry.

Certification will be a key topic in the program at Critical Communications World, with dedicated Focus Forums taking place on May 14 -15. Focus Forums are in-depth, deep-dive sessions providing knowledge sharing and comprehensive updates in each topic area. The focused sessions will comprise multiple presentations, interactive discussions and roundtables, allowing specialists to come together to learn about developments and share their own challenges, experiences and skills.