/plushcap/analysis/cloudflare/solarwinds-orion-compromise-trend-data

Trend data on the SolarWinds Orion compromise

What's this blog post about?

On December 13, FireEye reported a sophisticated supply chain attack using SolarWinds' Orion IT monitoring software. The malware was distributed as part of regular updates to Orion with a valid digital signature. It hides its network traffic using a multi-staged approach and determines its command and control (C2) server using a domain generation algorithm (DGA). Analyzing DNS query traffic through Cloudflare's 1.1.1.1 resolver, a spike in traffic to avsvmcloud[.]com was observed starting in April 2020. The attackers added more unique subdomains over time and the geographic distribution of queries changed throughout the course of the attack. Cloudflare Gateway customers can block these threats and investigate DNS query logs for related malicious domains.

Company
Cloudflare

Date published
Dec. 16, 2020

Author(s)
Malavika Balachandran Tadeusz, Jesse Kipp

Word count
546

Language
English

Hacker News points
3


By Matt Makai. 2021-2024.