Trend data on the SolarWinds Orion compromise

On December 13, FireEye reported a sophisticated supply chain attack using SolarWinds' Orion IT monitoring software. The malware was distributed as part of regular updates to Orion with a valid digital signature. It hides its network traffic using a multi-staged approach and determines its command and control (C2) server using a domain generation algorithm (DGA). Analyzing DNS query traffic through Cloudflare's 1.1.1.1 resolver, a spike in traffic to avsvmcloud[.]com was observed starting in April 2020. The attackers added more unique subdomains over time and the geographic distribution of queries changed throughout the course of the attack. Cloudflare Gateway customers can block these threats and investigate DNS query logs for related malicious domains.