top of page
DNS Tunneling In The SolarWinds Supply Chain Attack

Cloud Security

DNS Tunneling In The SolarWinds Supply Chain Attack

Rony Moshkovich

Rony Moshkovich

Short bio about author here Lorem ipsum dolor sit amet consectetur. Vitae donec tincidunt elementum quam laoreet duis sit enim. Duis mattis velit sit leo diam.

Tags

Share this article

12/23/20

Published

The aim of this post is to provide a very high-level illustration of the DNS Tunneling method used in the SolarWinds supply chain attack.



  1. An Attacker compromises SolarWinds company and trojanizes a DLL that belongs to its software.

  2. Some of the customers receive the malicious DLL as an update for the SolarWinds Orion software.

  3. “Corporation XYZ” receives the malicious and digitally signed DLL via update.

  4. SolarWinds Orion software loads the malicious DLL as a plugin.

  5. Once activated, the DLL reads a local domain name “local.corp-xyz.com” (a fictious name).

  6. The malware encrypts the local domain name and adds it to a long domain name.

  7. The long domain name is queried with a DNS server (can be tapped by a passive DNS sensor).

  8. The recursive DNS server is not authorized to resolve avsvmcloud[.]com, so it forwards the request.

  9. An attacker-controlled authoritative DNS server resolves the request with a wildcard A record.

  10. The Attacker checks the victim’s name, then adds a CNAME record for the victim’s domain name.

  11. The new CNAME record resolves the long domain name into an IP of an HTTP-based C2 server.

  12. The malicious DLL downloads and executes the 2nd stage malware (TearDrop, Cobalt Strike Beacon).

  13. A Threat Researcher accesses the passive DNS (pDNS) records.

  14. One of the long domain names from the pDNS records is decrypted back into “local.corp-xyz.com”.

  15. The Researcher deducts that the decrypted local domain name belongs to “Corporation XYZ”.

Related Articles

Azure Security Best Practices

Azure Security Best Practices

Cloud Security

Mar 19, 2023 · 2 min read

How to Implement a Security-as-Code Approach

How to Implement a Security-as-Code Approach

Cloud Security

Mar 19, 2023 · 2 min read

A secure VPC as the main pillar of cloud security

A secure VPC as the main pillar of cloud security

Cloud Security

Mar 19, 2023 · 2 min read

Speak to one of our experts

bottom of page