{
	"id": "7861c1dd-3e0b-42e0-9480-4626383a949d",
	"created_at": "2026-04-06T01:30:27.162859Z",
	"updated_at": "2026-04-10T03:21:47.19012Z",
	"deleted_at": null,
	"sha1_hash": "1b68a761f4a273452a57633bc36bf0d328addf46",
	"title": "Trend data on the SolarWinds Orion compromise",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 788934,
	"plain_text": "Trend data on the SolarWinds Orion compromise\r\nBy Malavika Balachandran TadeuszJesse Kipp\r\nPublished: 2020-12-16 · Archived: 2026-04-06 00:12:21 UTC\r\n2020-12-16\r\n2 min read\r\nOn Sunday, December 13, FireEye released a report on a sophisticated supply chain attack leveraging SolarWinds' Orion IT\r\nmonitoring software. The malware was distributed as part of regular updates to Orion and had a valid digital signature.\r\nOne of the notable features of the malware is the way it hides its network traffic using a multi-staged approach. First, the\r\nmalware determines its command and control (C2) server using a domain generation algorithm (DGA) to construct and\r\nresolve a subdomain of avsvmcloud[.]com.\r\nThese algorithmically generated strings are added as a subdomain of one of the following domain names to create a new\r\nfully-qualified domain name to resolve:\r\n.appsync-api[.]eu-west-1[.]avsvmcloud[.]com.appsync-api[.]us-west-2[.]avsvmcloud[.]com.appsync-api[.]us-east-1[.]avsvmcloud[.]com.appsync-api[.]us-east-2[.]avsvmcloud[.]com\r\nAn example of such a domain name might look like: hig4gcdkgjkrt24v6isue7ax09nksd[.]appsync-api[.]eu-west-1[.]avsvmcloud[.]com\r\nThe DNS query response to a subdomain of one of the above will return a CNAME record that points to another C2 domain,\r\nwhich is used for data exfiltration. The following subdomains were identified as the C2 domains used for data exfiltration:\r\nfreescanonline[.]comdeftsecurity[.]comthedoccloud[.]comwebsitetheme[.]comhighdatabase[.]comincomeupdate[.]comdatabasegalore[.]companhard\r\nMalware activity seen on Cloudflare’s public DNS resolver 1.1.1.1\r\nUsing the published details about the network observables of the malware, we analyzed DNS query traffic to the identified\r\nmalicious hostnames. Because 1.1.1.1 has a strong, audited privacy policy, we are unable to identify the source IP of users\r\nconnecting to the malicious hostname — we can only see aggregated trends.\r\nWe first noticed a spike in DNS traffic through Cloudflare’s 1.1.1.1 resolver to avsvmcloud[.]com starting in April 2020:\r\nhttps://blog.cloudflare.com/solarwinds-orion-compromise-trend-data/\r\nPage 1 of 4\n\nReviewing the subdomain data, a specific pattern of DGA domains emerged as early as April. These subdomains followed a\r\nformat, (e.g. {dga-string}[.]appsync-api[.]{region}[.]avsvmcloud[.]com). As time went on, the attackers added more unique\r\nsubdomains. The graph below depicts the unique newly observed subdomains of avsvmcloud[.]com on a weekly basis.\r\nAs illustrated in the graphs, we noticed a major rise in activity over the summer, with total subdomains observed reaching\r\nsteady state in September.\r\nhttps://blog.cloudflare.com/solarwinds-orion-compromise-trend-data/\r\nPage 2 of 4\n\nWhile the growth of unique names slowed down starting in October, the geographic distribution continued to change during\r\nthe entire course of the attack. During the first few weeks of the attack, queries originated almost entirely from clients in\r\nNorth America and Europe. In May, the source of queries began to spread across the globe. By July, the queries began to\r\ncluster again, this time in South America, before returning to originate primarily from North America in November.\r\nProtecting our customers from malicious activity\r\nCloudflare’s 1.1.1.1 resolver has strict privacy protections, so we can only see trends of this attack. We cannot notify users\r\nthat they might be compromised, because we intentionally do not know who those users are. For customers of Cloudflare\r\nGateway, however, we can help them block these types of threats, and identify cases where they might be compromised.\r\nCloudflare Gateway consists of features that secure how users and devices connect to the Internet. Gateway’s DNS filtering\r\nfeature is built on the same technology that powers 1.1.1.1, and adds security filtering and logging.\r\nFollowing the FireEye report, Cloudflare blocked access to the C2 domains used in this attack for customers using the\r\n“Malware” category in Gateway, as well as for customers using 1.1.1.1 for Families (1.1.1.2 \u0026 1.1.1.3).\r\nOur response team is working with customers to search logs for queries related to the malicious domains. Gateway\r\ncustomers can also download logs of their DNS query traffic and investigate on their own.\r\nCloudflare's connectivity cloud protects entire corporate networks, helps customers build Internet-scale applications\r\nefficiently, accelerates any website or Internet application, wards off DDoS attacks, keeps hackers at bay, and can help you\r\non your journey to Zero Trust.\r\nVisit 1.1.1.1 from any device to get started with our free app that makes your Internet faster and safer.\r\nTo learn more about our mission to help build a better Internet, start here. If you're looking for a new career direction, check\r\nout our open positions.\r\nCloudflare Zero TrustCloudflare GatewayZero TrustSecurityTrendsThreat Intelligence\r\nhttps://blog.cloudflare.com/solarwinds-orion-compromise-trend-data/\r\nPage 3 of 4\n\nRelated posts\r\nMarch 30, 2026 6:00 AM\r\nCloudflare Client-Side Security: smarter detection, now open to everyone\r\nWe are opening our advanced Client-Side Security tools to all users, featuring a new cascading AI detection system. By\r\ncombining graph neural networks and LLMs, we've reduced false positives by up to 200x while catching sophisticated zero-day exploits....\r\nBy \r\nMarch 12, 2026 5:00 AM\r\nAnnouncing Cloudflare Account Abuse Protection: prevent fraudulent attacks from bots\r\nand humans\r\nBlocking bots isn’t enough anymore. Cloudflare’s new fraud prevention capabilities — now available in Early Access —\r\nhelp stop account abuse before it starts....\r\nBy \r\nMarch 12, 2026 5:00 AM\r\nAnnouncing Cloudflare Account Abuse Protection: prevent fraudulent attacks from bots\r\nand humans\r\nBlocking bots isn’t enough anymore. Cloudflare’s new fraud prevention capabilities — now available in Early Access —\r\nhelp stop account abuse before it starts....\r\nBy \r\nMarch 11, 2026 1:00 PM\r\nAI Security for Apps is now generally available\r\nCloudflare AI Security for Apps is now generally available, providing a security layer to discover and protect AI-powered\r\napplications, regardless of the model or hosting provider. We are also making AI discovery free for all plans, to help teams\r\nfind and secure shadow AI deployments....\r\nBy \r\nSource: https://blog.cloudflare.com/solarwinds-orion-compromise-trend-data/\r\nhttps://blog.cloudflare.com/solarwinds-orion-compromise-trend-data/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blog.cloudflare.com/solarwinds-orion-compromise-trend-data/"
	],
	"report_names": [
		"solarwinds-orion-compromise-trend-data"
	],
	"threat_actors": [],
	"ts_created_at": 1775439027,
	"ts_updated_at": 1775791307,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/1b68a761f4a273452a57633bc36bf0d328addf46.pdf",
		"text": "https://archive.orkl.eu/1b68a761f4a273452a57633bc36bf0d328addf46.txt",
		"img": "https://archive.orkl.eu/1b68a761f4a273452a57633bc36bf0d328addf46.jpg"
	}
}