The aim of this post is to provide a very high-level illustration of the DNS Tunneling method used in the SolarWinds supply chain attack.
The PDF version of this illustration is available here.
- An Attacker compromises SolarWinds company and trojanizes a DLL that belongs to its software.
- Some of the customers receive the malicious DLL as an update for the SolarWinds Orion software.
- “Corporation XYZ” receives the malicious and digitally signed DLL via update.
- SolarWinds Orion software loads the malicious DLL as a plugin.
- Once activated, the DLL reads a local domain name “local.corp-xyz.com” (a fictious name).
- The malware encrypts the local domain name and adds it to a long domain name.
- The long domain name is queried with a DNS server (can be tapped by a passive DNS sensor).
- The recursive DNS server is not authorized to resolve avsvmcloud[.]com, so it forwards the request.
An attacker-controlled authoritative DNS server resolves the request with a wildcard A record. - The Attacker checks the victim’s name, then adds a CNAME record for the victim’s domain name.
- The new CNAME record resolved the long domain name into an IP of an HTTP-based C2 server.
- The malicious DLL downloads and executes the 2nd stage malware (TearDrop, Cobalt Strike Beacon).
- A Threat Researcher accesses the passive DNS (pDNS) records.
- One of the long domain names from the pDNS records is decrypted back into “local.corp-xyz.com”.
- The Researcher deducts that the decrypted local domain name belongs to “Corporation XYZ”.
Article Link: https://blog.prevasio.com/2020/12/dns-tunneling-in-solarwinds-supply.html