The cyber-attack campaign - “Sunburst” - has been ongoing since at least March 2020 with a strong peak in April 2020, as an retroactive analysis of the global DNS provider Cloudflare showed . In December 2020 the cybersecurity and threat research company FireEye detected the supply chain attack in their own network . After FireEye published a detailed report on the attack , cybersecurity vendors started to build and distribute Indicators Of Compromise (IOCs) and signatures for the attack. Replicating the attack in our lab using the information published by our colleagues, we showed that our ExeonTrace NDR software can detect the malicious domains initially accessed by the RAT out-of-the-box without requiring a signature update (see below for the required configuration). In fact, the software can do so using a machine learning model trained more than two years ago – long before we became aware of the attack.
How is this possible? The RAT uses a Domain Generation Algorithm (DGA) to construct subdomains of avsvmcloud[.]com, which it accesses to locate its C&C server to load instructions. 0fhdojdvgeuskgkcds2n0i3uho1i2v0i[.]appsync-api[.]us-west-2[.]avsvmcloud[.]com is an example hostname constructed by the algorithm, where the string “0fhdojdvgeuskgkcds2n0i3uho1i2v0i” encodes information on the compromised network (see  for more details). A traditional signature-based approach can only detect the attack, if there is an IOC for the accessed hostname (e.g., the IOC could be “*.avsvmcloud[.]com”). Of course, such an IOC can only be built after the attack has been detected, resulting in a chicken-egg problem.
ExeonTrace does not rely on signatures to detect DGA activity. Instead, ExeonTrace features an ML model that has been trained to detect the typical patterns occurring in hostnames generated with DGA. As our engineers built the model in a way that it generalizes quite well, ExeonTrace can detect DGA algorithms it has not been trained on. This is, we can detect novel cyber-attacks, for which no IOC exist yet and thus avoid the chicken-egg problem of signature-based approaches.
For more information on DGA, please see our CTO’s blog post “How hackers communicate – DGA”
ExeonTrace detecting Sunburst’s DGA.
Exeon support is happy to support you with verifying the configuration.
March 2020 or earlier:
Attackers start compromising U.S. government agencies, critical infrastructure entities, and private sector organizations .
December 8, 2020:
The cybersecurity company Fireeye announces the detection of a highly sophisticated attack in their own network .
December 13, 2020:
Fireeye’s analysis of the incident shows that the attackers compromised their network through the software supplier SolarWinds . The US Cybersecurity and Infrastructure Security Agency (CISA) issues an Emergency Directive  to immediately disconnect all SolarWinds Orion products from IT networks and investigate the networks for signs of intrusion.
December 13, 2020 and later:
Fireeye as well as independent companies start publishing Indicators of Compromise (IOCs) to detect the Sunburst attack [5,6].
The author: David Gugelmann is Founder and CEO of Exeon.