How did the Great Firewall of China become a weapon in the hands of cybercriminals?
The hacker group, dubbed Muddling Meerkat by security researchers, has been using sophisticated domain name system (DNS) techniques to conduct intelligence activities on networks around the world since October 2019.
According to Infoblox, a company specializing in cloud security, this group is probably affiliated with China and has the ability to control the so-called Great Firewall (GFW), which censors access to foreign sites and manipulates the country's Internet traffic.
Meerkat's Muddling operations are described as "perplexing", reflecting their ability to use open DNS resolvers to send requests from the Chinese IP space. Such actions demonstrate an advanced understanding of DNS, which, according to experts, makes this technology a powerful weapon in the hands of hackers.
Meerkat's Muddling tactic involves initiating DNS queries for mail exchanges (MX) and other record types to domains that do not belong to the attackers themselves, but are located in well-known top-level domains, such as ".com" and ".org". Infoblox has identified more than 20 such domains, many of which are old and registered before 2000, which allows hackers to remain undetected and evade blocking.
In addition, experts observed attempts to use servers in the Chinese IP space to create DNS queries to random subdomains of IP addresses around the world, which corresponds to the well-known methods of GFW, which uses DNS forgery and manipulation to insert fake DNS responses containing random real IP addresses if the request matches a forbidden keyword. or a blocked domain.
The most prominent feature of the Muddling Meerkat group is the generation of false MX records from Chinese IP addresses, which differs from the standard behavior of GFW. These responses come from IP addresses that do not provide DNS services, and also contain false data.
Renee Burton, vice president of threats at Infoblox, points out that this method of working with DNS queries differs from the standard GFW methods. The exact motives behind Muddling Meerkat's activities are still unclear, but there is speculation that they may be related to Internet research or some kind of mapping operation.
The hacker group, dubbed Muddling Meerkat by security researchers, has been using sophisticated domain name system (DNS) techniques to conduct intelligence activities on networks around the world since October 2019.
According to Infoblox, a company specializing in cloud security, this group is probably affiliated with China and has the ability to control the so-called Great Firewall (GFW), which censors access to foreign sites and manipulates the country's Internet traffic.
Meerkat's Muddling operations are described as "perplexing", reflecting their ability to use open DNS resolvers to send requests from the Chinese IP space. Such actions demonstrate an advanced understanding of DNS, which, according to experts, makes this technology a powerful weapon in the hands of hackers.
Meerkat's Muddling tactic involves initiating DNS queries for mail exchanges (MX) and other record types to domains that do not belong to the attackers themselves, but are located in well-known top-level domains, such as ".com" and ".org". Infoblox has identified more than 20 such domains, many of which are old and registered before 2000, which allows hackers to remain undetected and evade blocking.
In addition, experts observed attempts to use servers in the Chinese IP space to create DNS queries to random subdomains of IP addresses around the world, which corresponds to the well-known methods of GFW, which uses DNS forgery and manipulation to insert fake DNS responses containing random real IP addresses if the request matches a forbidden keyword. or a blocked domain.
The most prominent feature of the Muddling Meerkat group is the generation of false MX records from Chinese IP addresses, which differs from the standard behavior of GFW. These responses come from IP addresses that do not provide DNS services, and also contain false data.
Renee Burton, vice president of threats at Infoblox, points out that this method of working with DNS queries differs from the standard GFW methods. The exact motives behind Muddling Meerkat's activities are still unclear, but there is speculation that they may be related to Internet research or some kind of mapping operation.
