“Decoding Political Violence with OSINT and Lessons from the Frontline”

Join deep dive: Wed, Dec 18, 16:00 CET
08 Jun 2021

SolarWinds SUNBURST Compromise: Mapping Malicious Activity Using Farsight Historical DNS Data and Maltego

Roy Boetticher

There are many well-researched articles written about the SolarWinds compromise. However, given the skills demonstrated by malicious actors and suspicion regarding the attribution, the question remains: Have we uncovered all avenues that the attack might have taken place or are there instances and patterns that conventional methods cannot or may not yet uncover?

In short, the answer is no.

In this case study, focusing on the recent SolarWinds compromise, we will demonstrate how you can use the new DNSDB Flexible Search Transforms with Maltego to discover and uncover key assets and activities that might have been hidden during mainstream investigations using conventional tools and methods. Using historical passive DNS, we will show you how you can access recorded evidence of the past events – distant and recent – even if the DNS assets (domain names, IP addresses, etc.) have long disappeared from the internet or those that have been lawfully seized.

About SolarWinds SUNBURST Compromise 🔗︎

In December 2020, cyber threat analysis company FireEye discovered a global supply chain attack trojanizing SolarWinds Orion business software updates in order to distribute the malware named SUNBURST. The sophisticated attack affected public and private organizations—18,000 SolarWinds customers, including almost all Fortune 500 companies, government agencies, and government contractors—since as early as Spring 2020 and has resulted in network lateral movement and data theft by adversaries.

Investigating the SUNBURST Compromise 🔗︎

After being discovered, Microsoft has taken over the domain used by SUNBURST—avsvmcloud[.]com—and resolved it to 20.140.0[.]1. If SUNBURST now attempts to connect to its C2 coordinator using a subdomain of avsvmcloud[.]com, the kill-switch will be activated instead. Subsequently, without historical passive DNS data it is also no longer possible to investigate the hostnames generated with the DGA, the infected victims, the attack pattern observed, and the IP resolved from avsvmcloud[.]com’s subdomains.




About Farsight DNSDB Historical Passive DNS Data 🔗︎

Farsight Security DNSDB® is the world’s largest DNS intelligence database that provides a unique, fact-based, multifaceted view of the configuration of the global Internet infrastructure— with more than 100 billion domain resolution records and updated in real-time at over 200,000 times/second.

With Farsight Transforms in Maltego, users can expose entire networks, gain an outside-in view of their infrastructure and pivot across DNS record types. With Wildcard searches, expose hostnames/FQDNs, associated domains and further pivoting across IPs to expose all associated domains, FQDNs, IPs, MX, NX, and other record types.

Access to Farsight Data in Maltego 🔗︎

Farsight Transforms are available for both community and commercial Maltego users with a free trial. You can get started immediately without an API key or registration, or sign up to the 30-day free trial for more query allowance.

To access the full solution, a Maltego commercial license and a Farsight DNSDB subscription are required. Learn more about the access information on our Data Partner page here.

Case Study | Investigate and Evaluate the Scale of SolarWinds SUNBURST Attack 🔗︎

Using historical DNS data, investigators can still identify which subdomains were resolved to which IP addresses in relation to the SUNBURST attack. Furthermore, using Farsight’s Flexible Search Transforms in Maltego, analysts can retrieve not only specific domains and IP addresses, but also any domain matching a specific pattern.

In this case study, we demonstrate how to combine Maltego’s link analysis capability and Farsight DNSDB passive DNS historical data to retrieve the historical domain and IP address data and analyze the potential scope of the SUNBURST attack. Specifically, we will study C2 communications that occurred before Microsoft’s action and possibly also before the SolarWinds compromise was public knowledge.

Maltego Farsight Case Study Screenshot

Download and Read the Case Study Now 🔗︎

Download and read this case study now to learn how historical passive DNS observations can assist to uncover past, present and even future threats!

Maltego farsight joint webinar promotion image

Download and watch the live demo of the SolarWinds SUNBURST investigation and Farsight’s new Flexible Search Transforms and deep dive into the domain of historical passive DNS data!



Follow us on Twitter and LinkedIn or subscribe to our email newsletter for more whitepapers, case studies, and SOC tips like this!

Download the resource

By clicking on "Access", you agree to the processing of the data you entered and you allow us to contact you for the purpose selected in the form. For further information, see our Data Privacy Policy.

By clicking on "Subscribe", you agree to the processing of the data you entered and you allow us to contact you for the purpose selected in the form. For further information, see our Data Privacy Policy.