DNS Tunneling In The SolarWinds Supply Chain Attack

The aim of this post is to provide a very high-level illustration of the DNS Tunneling method used in the SolarWinds supply chain attack.

The PDF version of this illustration is available here.

  •   An Attacker compromises SolarWinds company and trojanizes a DLL that belongs to its software.
  •   Some of the customers receive the malicious DLL as an update for the SolarWinds Orion software.
  •   “Corporation XYZ” receives the malicious and digitally signed DLL via update.
  •   SolarWinds Orion software loads the malicious DLL as a plugin.
  •   Once activated, the DLL reads a local domain name local.corp-xyz.com (a fictious name).
  •   The malware encrypts the local domain name and adds it to a long domain name.
  •   The long domain name is queried with a DNS server (can be tapped by a passive DNS sensor).
  •   The recursive DNS server is not authorized to resolve avsvmcloud[.]com, so it forwards the request.
    An attacker-controlled authoritative DNS server resolves the request with a wildcard A record.
  •   The Attacker checks the victim’s name, then adds a CNAME record for the victim’s domain name.
  •   The new CNAME record resolved the long domain name into an IP of an HTTP-based C2 server.
  •   The malicious DLL downloads and executes the 2nd stage malware (TearDrop, Cobalt Strike Beacon).
  •   A Threat Researcher accesses the passive DNS (pDNS) records.
  •   One of the long domain names from the pDNS records is decrypted back into local.corp-xyz.com.
  •   The Researcher deducts that the decrypted local domain name belongs to “Corporation XYZ”.

Article Link: https://blog.prevasio.com/2020/12/dns-tunneling-in-solarwinds-supply.html