CVE-2024-30407 – Juniper Networks Juniper Cloud Native Router Vulnerability
April 30, 2024ICS: Multiple Hitachi Products Vulnerabilities
April 30, 2024CVE-2024-30407 – Juniper Networks Juniper Cloud Native Router Vulnerability
April 30, 2024ICS: Multiple Hitachi Products Vulnerabilities
April 30, 2024Severity
High
Analysis Summary
Since October 2019, a previously unreported cyber threat known as Muddling Meerkat has been seen engaging in complex domain name system (DNS) operations in an apparent attempt to get around security barriers and do network reconnaissance worldwide.
According to cloud security researchers, the threat actor is most likely connected to the People's Republic of China (PRC) and can manage the Great Firewall (GFW), which controls internet traffic entering and leaving the nation and filters access to international websites. The moniker refers to the confusing nature of their operations and the actor's exploitation of DNS open resolvers, or DNS servers that allow recursive queries from any IP address, improperly to send queries from IP space allocated to China.
Threat actors nowadays rarely possess such a deep comprehension of DNS as Muddling Meerkat has, indicating that DNS is a potent tool that adversaries can use against their targets. To be more precise, it involves sending mail exchange (MX) and other record-type DNS queries to domains that are under the well-known top-level domains like .com and .org but are not held by the actor. More than 20 of these domains were found, according to researchers who identified the threat actor through unusual DNS MX record queries that were made to its recursive resolvers by client devices.
The Great Firewall responds to Muddling Meerkat with a unique type of bogus DNS MX record that has never been observed before. Muddling Meerkat needs to have a connection with the GFW operators for this to occur. Although the target domain is the one used in the searches, an attack may not always be directed towards it. This is the domain where the probing attack is executed. Muddling Meerkat does not own any of these domains.
When a request matches a restricted phrase or a blacklisted domain, the GFW is reported to use a technique known as DNS spoofing and tampering to insert false DNS answers with random genuine IP addresses. Put otherwise, the GFW restricts or reroutes a user's website query in a way that keeps them from obtaining the requested content when they try to search for a prohibited term or phrase. Techniques like IP address blocking and DNS cache poisoning are used to accomplish this.
This implies that the GFW can successfully damage the cache of recursive DNS servers situated inside its borders if it detects a query to a restricted website. The sophisticated program does this by injecting a bogus DNS reply with an invalid IP address or an IP address to a different domain. The fact that fake MX record responses from Chinese IP addresses are present in Muddling Meerkat is its most notable characteristic. This behavior deviates from the GFW's typical behavior.
In line with the GFW, these resolves originate from Chinese IP addresses that do not host DNS services and provide bogus responses. But in contrast to the GFW's known behavior, correctly structured MX resource records rather than IPv4 addresses are included in Muddling Meerkat MX answers. While it's unclear exactly why the multi-year project was started, it was suggested that it might have been part of some sort of study project or internet mapping initiative.
Muddling Meerkat is a Chinese nation-state actor that practically every day conducts highly sophisticated and intentional DNS attacks against international networks; the entire extent of their activity is not visible in a single place. This is where malware differs from DNS in that it is easier to grasp once it has been found. The FBI, CISA, and other organizations are still alerting people about covert Chinese prepositioning activities. Anything that the users are unable to fully perceive or comprehend should be worrying.
Impact
- Security Bypass
- Identity Theft
- Cyber Espionage
Indicators of Compromise
IP
- 183.136.225.45
- 183.136.225.14
Remediation
- Block all threat indicators at your respective controls.
- Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
- Be vigilant when downloading software and double-check the URL to see if it is legitimate.
- Never download software from untrusted sources.
- Download apps only from official app stores like Google Play Store or Apple App Store. Avoid downloading apps from third-party websites or unofficial sources.
- Review the permissions requested by apps before installing them. Be cautious of apps that request unnecessary permissions or access to sensitive data.
- Do not download documents attached in emails from unknown sources and strictly refrain from enabling macros when the source isn’t reliable.
- Keep your operating system and apps up-to-date with the latest security patches and updates
- Enable antivirus and anti-malware software and update signature definitions on time. Using multi-layered protection is necessary to secure vulnerable assets.
- Along with network and system hardening, code hardening should be implemented within the organization so that their websites and software are secure. Use testing tools to detect any vulnerabilities in the deployed codes.
- Maintain cyber hygiene by updating your anti-virus software and implementing a patch management lifecycle.
- Be cautious of unsolicited messages, emails, or links, especially from unknown or suspicious sources. Avoid clicking on suspicious links or downloading attachments from untrusted sources.
- Patch and upgrade any platforms and software timely and make it into a standard security policy. Prioritize patching known exploited vulnerabilities and zero-days.
- Regularly backup your data to a secure location, such as a cloud storage service or external hard drive.
- Develop and regularly update an incident response plan that outlines the steps to take in case of a security breach. Test the plan through simulations to ensure its effectiveness.