https://live.paloaltonetworks.com/t5/advanced-threat-prevention/uptick-in-solarwinds-exploit-domain-flagging/m-p/482362#M1601 <P>Starting early Saturday morning (4/23) we started getting a large number of DNS threat alerts for 3 domains associated with the Solarwinds exploit. These domains are now resolving to multiple Leaseweb IPs (as I recall, they were NX previously). Digging thru the Threat &amp; Vulnerability database, these 3 domains are still flagged, but the other domains associated with the compromise are no longer active in the database. Checking packet dumps, I am seeing many DNS queries for these other domains resolving to the same Leaseweb IPs as well.</P><P>&nbsp;</P><P>Is anyone aware of recent changes to these exploit domains? Shouldn't all the domains still be in the threat database?</P> Mon, 25 Apr 2022 17:44:23 GMT Adrian_Jensen 2022-04-25T17:44:23Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/uptick-in-solarwinds-exploit-domain-flagging/m-p/482362#M1601 <P>Starting early Saturday morning (4/23) we started getting a large number of DNS threat alerts for 3 domains associated with the Solarwinds exploit. These domains are now resolving to multiple Leaseweb IPs (as I recall, they were NX previously). Digging thru the Threat &amp; Vulnerability database, these 3 domains are still flagged, but the other domains associated with the compromise are no longer active in the database. Checking packet dumps, I am seeing many DNS queries for these other domains resolving to the same Leaseweb IPs as well.</P><P>&nbsp;</P><P>Is anyone aware of recent changes to these exploit domains? Shouldn't all the domains still be in the threat database?</P> Mon, 25 Apr 2022 17:44:23 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/uptick-in-solarwinds-exploit-domain-flagging/m-p/482362#M1601 Adrian_Jensen 2022-04-25T17:44:23Z