Earlier today, Avast published a full list of companies affected by the second-stage CCleaner malware, as part of its ongoing investigation into the CCleaner hack that took place last week.
Avast was able to compile this list of affected companies because, over the weekend, they were able to find a second server used by the attackers.
Last Friday, Avast published an update on its investigation of the CCleaner hack in which it said it managed to get its hands on the database of the server where the CCleaner malware was sending information about infected hosts.
Unfortunately, that server's database contained information for user infections between September 12 and September 16. Avast said that the database holding info on infected users crashed on September 10 after the server ran out of space.
Hackers installed a new server on September 12, which Avast, with the help of law enforcement, seized on September 15. The IP address of this main server was 220.127.116.11.
Today, Avast said that after more digging around they were able to find a second server where hackers sent a backup of the original database before reinstalling the server and starting from scratch.
Avast said this second server was located at 18.104.22.168, on the same hosting provider as the first. ServerCrate, the hosting provider, provided support and made available the second server to Avast.
This means investigators now have a full list of infected hosts (except a 40-hour period when the server was down) affected by the CCleaner malware — both the first and second stage payloads.
Hackers compromised the CCleaner infrastructure in July, and between August 15 and September 12, the official CCleaner website offered a version of the app that was infected with malware.
Avast says that over 2.27 million users downloaded tainted versions of the CCleaner app in that time interval.
Based on data from the two C&C server databases, Avast says that 1,646,536 computers were infected with the Floxif first stage malware and reported back to the C&C server.
Based on a strict set of filters, Avast says that the C&C servers ordered the delivery of a second-stage malware (a potent backdoor) to only 40 of these 1.6 million computers.
Last week, Avast and Cisco said that only 20 computers were infected, meaning investigators found 20 more in the database backup.
Last week, investigators didn't reveal what companies were affected. In a table published today, Avast went public with this information, embedded below.
According to the table above, most infected hosts — 13 computers — are on the network of Chunghwa Telecom, a Taiwanese ISP. Second on the list is Japanese IT company NEC with 10, followed by Samsung with 5.
ASUS, Fujitsu, and Sony had two computers infected with the second-stage payload, while Avast found one infected computer on the network of IPAddress.com, O2, Gauselmann, Singtel, Intel, and VMWare.
The table above only lists successful infections. The C&C server used a filter to target certain networks, but not all were infected.
The filtering rules for the server seized last week targeted companies such as Google, Microsoft, HTC, Samsung, Intel, Sony, VMWare, O2, Vodafone, Linksys, Epson, MSI, Akamai, DLink, Oracle (Dyn), Gauselmann, and Singtel.
The filtering rules retrieved from the backup server shows that before September 10, attackers targeted a different list of companies, such as HTC, Linksys, Epson, Vodafone, Microsoft, Dlink, Gmail, Akamai, MSI, Cisco, Cyberdyne, Tactical Technologies Inc. (TTI), and GoDaddy.
Researchers say this filter is only the one used at the time of the backup, and between August 15 and September 10, attackers most likely targeted many other companies.
In addition, Avast confirmed it found evidence linking the attackers to China. Last week, Kaspersky and Cisco said the same thing, hinting this attack might be linked to the Axiom APT.
Clues included PHP code found on the C&C server, the myPhpAdmin logs, and the similarity of certain code snippets to past Axiom malware.
Avast also says that after analyzing all the logins on the two servers, the login activity pattern fits a person living in the Eastern Russia, China, and India timezones.
Nonetheless, attribution is difficult. "The problem with all these indications is that they are all very easy to forge," said Avast. "They might have been added simply to make investigation more difficult and to hide the true origin."
With the new information in hand, here's an updated timeline of events.
Avast also published a revised list of IOCs (indicators of compromise) in its most latest report. Sysadmins can use these IOCs to search for infections on their network.