Detect SolarWinds SunBurst Malware with AppNeta Usage monitoring
by Sean Armstrong Sean Armstrong on

As pretty much everyone has heard by now, SolarWinds was the target of a sophisticated Supply Chain Attack. We want to assure our customers that AppNeta does not use Solarwinds software internally or in support of the AppNeta Performance Manager. Unfortunately, there are over 18,000 companies who were using Orion and now are tasked with finding and fixing this challenging malware. If you are interested in learning more I highly recommend this SANS video (its an hour but worth it) that goes into a high level of depth in everything we know so far.

How AppNeta Can Help

In addition to the active network testing approaches that we are known best for, AppNeta has the ability to analyze all traffic on your network to identify the applications in use and the hosts running them called Usage analysis. In the past, we charged separately for this capability, but now have unified our product set to give the most complete picture of performance possible, and all customers now get this capability included with their subscription.

We have over 2,500 applications identified in the Deep Packet Inspection engine within the product, but each customer will have a few in house apps unique to them, so we have created the ability to easily add custom applications with just a few clicks. The SunBurst malware has been identified to send beacon messages out to a number of known domains, and any activity on your network reaching out to them is highly suspect and should be investigated.

To add a custom application for SunBurst activity:

  1. Create a custom application by going to the main Settings gear in the top navigation and choose “Manage Application Identification”
  2. Click the “+ Define Application” button above the custom application table.

  3. Name the custom application “SunBurst Malware” and give it an appropriate description like “Suspicious activity related to
  4. Add the following rules for the traffic to be included in the application:

Protocol: TLS TLS Host:

Protocol: TLS TLS Host:

Protocol: TLS TLS Host:

Protocol: TLS TLS Host:

Protocol: TLS TLS Host:

Protocol: TLS TLS Host:

This will look for all traffic over TLS tunnels to the domains listed and reclassify it as “SunBurst Malware” rather than standard SSL/TLS traffic.

  1. Set the Category to “Business Important”, the Classification to “Remote Access” and the Risk Level to “5 - Very High” and Save the new application.

Now add it to the running DPI engines within your AppNeta Monitoring Points:

  1. Now that the Application has been created, find it in the table of custom applications click the Gear icon to choose the site where it should be added to the DPI engine. We recommend adding it to all locations.

And finally add alerting:

  1. From the main Settings gear in the top navigation and choose “Manage Alert Profiles”
  2. Choose the “Flow Analysis” toggle button and press the “New” button to add a new alert .

Name the Alert Profile “SunBurst Malware”, and Select the Condition of “Application” and the new Custom Application you just created. Set the traffic rate setting to look for total traffic greater than 0 bps to flag any activity.

We are still learning more everyday about this complex attack, and new beacon domains may be added in the future, which can be easily added to your new custom application for automatic identification.

This will now keep an eye out for SunBurst related traffic and notify you to shut the affected systems down immediately.

Request a Demo of AppNeta
Learn how AppNeta can find and resolve performance issues in business-critical applications and the networks that deliver them.

Get a Demo

Filed Under: Industry Insights

Tags: usage analysis , usage , network analysis , network security , network management , network performance monitoring , network monitoring , application monitoring , cybersecurity , cyber attack , malware , SolarWinds