Cyber Threat Intel Analysis and Expansion of SolarWinds Identified IoCs

Read the original article: Cyber Threat Intel Analysis and Expansion of SolarWinds Identified IoCs


The SolarWinds hack affected several government agencies and tech companies in the U.S. and worldwide. The sophisticated malware attack is believed to have compromised the trusted IT management software as early as March 2020 but only came to light in December.

Owing to the scale of the breach, several cybersecurity organizations, principally FireEye and other companies such as Open Source Context, released lists of indicators of compromise (IoCs). You can view the IoCs from FireEye here and those from Open Source Context here.

Using our domain intelligence sources, we analyzed these IoCs and uncovered more artifacts. Here are the results of our analysis.

SolarWinds IoC Cyber Threat Intel Analysis

FireEye and Open Source Context yielded a total of 18 domain names listed below:

  • avsvmcloud[.]com
  • databasegalore[.]com
  • deftsecurity[.]com
  • digitalcollege[.]org
  • freescanonline[.]com
  • globalnetworkissues[.]com
  • highdatabase[.]com
  • incomeupdate[.]com
  • kubecloud[.]com
  • lcomputers[.]com
  • panhardware[.]com
  • seobundlekit[.]com
  • solartrackingsystem[.]net
  • thedoccloud[.]com
  • virtualdataserver[.]com
  • webcodez[.]com
  • websitetheme[.]com
  • zupertech[.]com

One of the first things that stood out when we reviewed the list of IoCs is that no brand or company name was used. Instead, they used generic terms such as “seo,” “web,” “cloud,” “database,” and “virtual.”

Domain Age

A majority of the IoCs, 14 out of 18 to be exact, were first registered more than five years ago, based on their historical WHOIS data. Three domains were created in 2019 and were a few months old when the attack started in March 2020, while one domain was created in 2018.

The domain age could be a factor behind the SolarWinds breach’s success, as none of the IoCs were newly registered domains (NRDs). Threat actors know that most cybersecurity systems would usually flag NRDs.

Registrars

While they were not involved in the attack, the domains’ registrars can help prevent the attack from spreading by taking them down. Seven registrars were involved in the registration of the IoCs since 1 June 2019. They are listed below, along with the number of WHOIS records associated with each of them.

Registrar Number of WHOIS Records
NameSilo, LLC 89
NameCheap, Inc. 36
GoDaddy.com, LLC 11
Epik, Inc. 10
Draftpick Domains LLC 4
Stichting Registrar of Last Resort Foundation 3
Key-Systems GmbH 3

It should also be noted that NameSilo is among the top 10 most-abused registrars, with a badness index of 1.68.

Additional Artifacts

We found close to 70 additional domains that match the exact words of 12 of the IoCs through Domains & Subdomains Discovery using different top-level domains (TLDs):

Original Domain List Additional Domains from WhoisXML API
avsvmcloud[.]com avsvmcloud[.]net
avsvmcloud[.]org
digitalcollege[.]org digitalcollege[.]art
digitalcollege[.]asia
digitalcollege[.]ca
digitalcollege[.]co
digitalcollege[.]co[.]il
digitalcollege[.]co[.]in
digitalcollege[.]co[.]uk
digitalcollege[.]com
digitalcollege[.]com[.]au
digitalcollege[.]com[.]br
digitalcollege[.]de
digitalcollege[.]eu
digitalcollege[.]fr
digitalcollege[.]in
digitalcollege[.]info
digitalcollege[.]jp
digitalcollege[.]kz
digitalcollege[.]london
digitalcollege[.]net
digitalcollege[.]nl
digitalcollege[.]org[.]uk
digitalcollege[.]re
digitalcollege[.]ru
digitalcollege[.]top
digitalcollege[.]uk
digitalcollege[.]us
digitalcollege[.]xyz
freescanonline[.]com freescanonline[.]xyz
highdatabase[.]com highdatabase[.]email
kubecloud[.]com kubecloud[.]ch
kubecloud[.]co
kubecloud[.]co[.]uk
kubecloud[.]de
kubecloud[.]dev
kubecloud[.]io
kubecloud[.]net
kubecloud[.]nl
kubecloud[.]org
kubecloud[.]site
lcomputers[.]com lcomputers[.]co[.]za
lcomputers[.]info
panhardware[.]com panhardware[.]com[.]my
solartrackingsystem[.]net solartrackingsystem[.]com
virtualdataserver[.]com virtualdataserver[.]ws
webcodez[.]com webcodez[.]de
webcodez[.]net
webcodez[.]pro
websitetheme[.]com websitetheme[.]biz
websitetheme[.]club
websitetheme[.]com[.]au
websitetheme[.]co[.]uk
websitetheme[.]download
websitetheme[.]in
websitetheme[.]info
websitetheme[.]net
websitetheme[.]org
websitetheme[.]shop
websitetheme[.]site
websitetheme[.]store
websitetheme[.]tk
websitetheme[.]uk
websitetheme[.]us
websitetheme[.]win
websitetheme[.]xyz
zupertech[.]com zupertech[.]xyz

Expanding the search to include fuzzy matches, 4,673 additional artifacts were found, indicating that the domains used by the threat actors were indeed very generic.

Nameserver Changes

WHOIS history records also revealed that the IoCs had undergone several nameserver changes, signifying numerous website relocation events to different hosting providers. On average, the 18 domains changed nameservers 3.758 times over the past two years, and all of them changed nameservers at least two times during the same time period. Of the 70 artifacts we found, 11% have changed nameservers more than twice.


Based on the analysis, the SolarWinds IoCs had several things in common:

  • They are not NRDs.
  • The domains use generic terms and do not typosquat on brand or company names.
  • They have undergone several nameserver changes.
  • Their WHOIS records are all associated with seven registrars, half of which belong to NameSilo.

Security teams can better explore the artifacts and check for similar characteristics. Knowing what to look for can help them better protect their systems from attacks similar to the SolarWinds hack.

Are you a security researcher, architect, or product developer working on the world’s biggest security issues? Contact us for more information on the potentially suspicious domains and other assets mentioned in this post, security research initiatives, and any other ideas for collaboration.


Read the original article: Cyber Threat Intel Analysis and Expansion of SolarWinds Identified IoCs