Earlier today, Avast published a full list of companies affected by the second-stage CCleaner malware, as part of its ongoing investigation into the CCleaner hack that took place last week.
Avast was able to compile this list of affected companies because, over the weekend, they were able to find a second server used by the attackers.
Last Friday, Avast published an update on its investigation of the CCleaner hack in which it said it managed to get its hands on the database of the server where the CCleaner malware was sending information about infected hosts.
Unfortunately, that server’s database contained information for user infections between September 12 and September 16. Avast said that the database holding info on infected users crashed on September 10 after the server ran out of space.
Hackers installed a new server on September 12, which Avast, with the help of law enforcement, seized on September 15. The IP address of this main server was 220.127.116.11.
Avast finds second server holding backup database
Today, Avast said that after more digging around they were able to find a second server where hackers sent a backup of the original database before reinstalling the server and starting from scratch.
Avast said this second server was located at 18.104.22.168, on the same hosting provider as the first. ServerCrate, the hosting provider, provided support and made available the second server to Avast.
This means investigators now have a full list of infected hosts (except a 40-hour period when the server was down) affected by the CCleaner malware — both the first and second stage payloads.
1,646,536 computers confirmed as infected
Hackers compromised the CCleaner infrastructure in July, and between August 15 and September 12, the official CCleaner website offered a version of the app that was infected with malware.
Avast says that over 2.27 million users downloaded tainted versions of the CCleaner app in that time interval.
Based on data from the two C&C server databases, Avast says that 1,646,536 computers were infected with the Floxif first stage malware and reported back to the C&C server.
40 computers infected with second-stage payload
Based on a strict set of filters, Avast says that the C&C servers ordered the delivery of a second-stage malware (a potent backdoor) to only 40 of these 1.6 million computers.
Last week, Avast and Cisco said that only 20 computers were infected, meaning investigators found 20 more in the database backup.
Last week, investigators didn’t reveal what companies were affected. In a table published today, Avast went public with this information, embedded below.
According to the table above, most infected hosts — 13 computers — are on the network of Chunghwa Telecom, a Taiwanese ISP. Second on the list is Japanese IT company NEC with 10, followed by Samsung with 5.
ASUS, Fujitsu, and Sony had two computers infected with the second-stage payload, while Avast found one infected computer on the network of IPAddress.com, O2, Gauselmann, Singtel, Intel, and VMWare.
The table above only lists successful infections. The C&C server used a filter to target certain networks, but not all were infected.
The filtering rules for the server seized last week targeted companies such as Google, Microsoft, HTC, Samsung, Intel, Sony, VMWare, O2, Vodafone, Linksys, Epson, MSI, Akamai, DLink, Oracle (Dyn), Gauselmann, and Singtel.
The filtering rules retrieved from the backup server shows that before September 10, attackers targeted a different list of companies, such as HTC, Linksys, Epson, Vodafone, Microsoft, Dlink, Gmail, Akamai, MSI, Cisco, Cyberdyne, Tactical Technologies Inc. (TTI), and GoDaddy.
Researchers say this filter is only the one used at the time of the backup, and between August 15 and September 10, attackers most likely targeted many other companies.
Avast jumps on the Chinese APT hack theory
In addition, Avast confirmed it found evidence linking the attackers to China. Last week, Kaspersky and Cisco said the same thing, hinting this attack might be linked to the Axiom APT.
Clues included PHP code found on the C&C server, the myPhpAdmin logs, and the similarity of certain code snippets to past Axiom malware.
Avast also says that after analyzing all the logins on the two servers, the login activity pattern fits a person living in the Eastern Russia, China, and India timezones.
Nonetheless, attribution is difficult. “The problem with all these indications is that they are all very easy to forge,” said Avast. “They might have been added simply to make investigation more difficult and to hide the true origin.”
With the new information in hand, here’s an updated timeline of events.
July 19 ⮞ Avast announces it bought Piriform, company behind CCleaner.
July 31, 06:32 ⮞ Attackers install C&C server.
August 11, 07:36 ⮞ Attackers initiate data gathering procedures in preparation for August 15 when they poison the CCleaner binary, and later the CCleaner Cloud binary.
August 15 ⮞ Piriform, now part of Avast, releases CCleaner 5.33. The CCleaner 5.33.6162 version was infected with (the Floxif) malware.
August 20 and 21 ⮞ Morphisec’s security product detects and stops first instances of CCleaner malicious activity, but they did not have insight into what exactly they stopped.
August 24 ⮞ Piriform releases CCleaner Cloud v1.07.3191 that also included the Floxif trojan.
September 10 20:59 ⮞ C&C server runs out of space and stops data collection. Attackers make a backup of the original database.
September 11 ⮞ Morphisec customers share detection logs detailing CCleaner-related malicious activity with the company’s engineers.
September 12 07:56 ⮞ Attackers wipe C&C server.
September 12 08:02 ⮞ Attackers reinstall C&C server.
September 12 ⮞ Morphisec notifies Avast and Cisco of the suspicious CCleaner activity. Avast starts its own investigation and also notifies US law enforcement. Cisco also starts its own investigation.
September 14 ⮞ Cisco notifies Avast of its own findings.
September 15 ⮞ Authorities seize C&C server.
September 15 ⮞ Avast releases CCleaner 5.34 and CCleaner Cloud 1.07.3214. These are clean versions.
September 18 ⮞ CCleaner incident becomes public following Cisco, Morphisec, and Avast/Piriform reports.
September ?? ⮞ ServerCrate provides a copy of the backup server to Avast.
Avast also published a revised list of IOCs (indicators of compromise) in its most latest report. Sysadmins can use these IOCs to search for infections on their network.