Earlier today, Avast published a full list of companies affected by the second-stage CCleaner malware, as part of its ongoing investigation into the CCleaner hack that took place last week.
Avast was able to compile this list of affected companies because, over the weekend, they were able to find a second server used by the attackers.
Last Friday, Avast published an update on its investigation of the CCleaner hack in which it said it managed to get its hands on the database of the server where the CCleaner malware was sending information about infected hosts.
Unfortunately, that server's database contained information for user infections between September 12 and September 16. Avast said that the database holding info on infected users crashed on September 10 after the server ran out of space.
Hackers installed a new server on September 12, which Avast, with the help of law enforcement, seized on September 15. The IP address of this main server was 216.126.225.148.
Avast finds second server holding backup database
Today, Avast said that after more digging around they were able to find a second server where hackers sent a backup of the original database before reinstalling the server and starting from scratch.
Avast said this second server was located at 216.126.225.163, on the same hosting provider as the first. ServerCrate, the hosting provider, provided support and made available the second server to Avast.
This means investigators now have a full list of infected hosts (except a 40-hour period when the server was down) affected by the CCleaner malware — both the first and second stage payloads.
1,646,536 computers confirmed as infected
Hackers compromised the CCleaner infrastructure in July, and between August 15 and September 12, the official CCleaner website offered a version of the app that was infected with malware.
Avast says that over 2.27 million users downloaded tainted versions of the CCleaner app in that time interval.
Based on data from the two C&C server databases, Avast says that 1,646,536 computers were infected with the Floxif first stage malware and reported back to the C&C server.
40 computers infected with second-stage payload
Based on a strict set of filters, Avast says that the C&C servers ordered the delivery of a second-stage malware (a potent backdoor) to only 40 of these 1.6 million computers.
Last week, Avast and Cisco said that only 20 computers were infected, meaning investigators found 20 more in the database backup.
Last week, investigators didn't reveal what companies were affected. In a table published today, Avast went public with this information, embedded below.
According to the table above, most infected hosts — 13 computers — are on the network of Chunghwa Telecom, a Taiwanese ISP. Second on the list is Japanese IT company NEC with 10, followed by Samsung with 5.
ASUS, Fujitsu, and Sony had two computers infected with the second-stage payload, while Avast found one infected computer on the network of IPAddress.com, O2, Gauselmann, Singtel, Intel, and VMWare.
The table above only lists successful infections. The C&C server used a filter to target certain networks, but not all were infected.
The filtering rules for the server seized last week targeted companies such as Google, Microsoft, HTC, Samsung, Intel, Sony, VMWare, O2, Vodafone, Linksys, Epson, MSI, Akamai, DLink, Oracle (Dyn), Gauselmann, and Singtel.
The filtering rules retrieved from the backup server shows that before September 10, attackers targeted a different list of companies, such as HTC, Linksys, Epson, Vodafone, Microsoft, Dlink, Gmail, Akamai, MSI, Cisco, Cyberdyne, Tactical Technologies Inc. (TTI), and GoDaddy.
Researchers say this filter is only the one used at the time of the backup, and between August 15 and September 10, attackers most likely targeted many other companies.
Avast jumps on the Chinese APT hack theory
In addition, Avast confirmed it found evidence linking the attackers to China. Last week, Kaspersky and Cisco said the same thing, hinting this attack might be linked to the Axiom APT.
Clues included PHP code found on the C&C server, the myPhpAdmin logs, and the similarity of certain code snippets to past Axiom malware.
Avast also says that after analyzing all the logins on the two servers, the login activity pattern fits a person living in the Eastern Russia, China, and India timezones.
Nonetheless, attribution is difficult. "The problem with all these indications is that they are all very easy to forge," said Avast. "They might have been added simply to make investigation more difficult and to hide the true origin."
With the new information in hand, here's an updated timeline of events.
July 19 ⮞ Avast announces it bought Piriform, company behind CCleaner.
July 31, 06:32 ⮞ Attackers install C&C server.
August 11, 07:36 ⮞ Attackers initiate data gathering procedures in preparation for August 15 when they poison the CCleaner binary, and later the CCleaner Cloud binary.
August 15 ⮞ Piriform, now part of Avast, releases CCleaner 5.33. The CCleaner 5.33.6162 version was infected with (the Floxif) malware.
August 20 and 21 ⮞ Morphisec's security product detects and stops first instances of CCleaner malicious activity, but they did not have insight into what exactly they stopped.
August 24 ⮞ Piriform releases CCleaner Cloud v1.07.3191 that also included the Floxif trojan.
September 10 20:59 ⮞ C&C server runs out of space and stops data collection. Attackers make a backup of the original database.
September 11 ⮞ Morphisec customers share detection logs detailing CCleaner-related malicious activity with the company's engineers.
September 12 07:56 ⮞ Attackers wipe C&C server.
September 12 08:02 ⮞ Attackers reinstall C&C server.
September 12 ⮞ Morphisec notifies Avast and Cisco of the suspicious CCleaner activity. Avast starts its own investigation and also notifies US law enforcement. Cisco also starts its own investigation.
September 14 ⮞ Cisco notifies Avast of its own findings.
September 15 ⮞ Authorities seize C&C server.
September 15 ⮞ Avast releases CCleaner 5.34 and CCleaner Cloud 1.07.3214. These are clean versions.
September 18 ⮞ CCleaner incident becomes public following Cisco, Morphisec, and Avast/Piriform reports.
September ?? ⮞ ServerCrate provides a copy of the backup server to Avast.
Avast also published a revised list of IOCs (indicators of compromise) in its most latest report. Sysadmins can use these IOCs to search for infections on their network.
Comments
Occasional - 1 year ago
Incredible story - even just what's know so far!
Most obvious characteristic is the sophistication, orchestration and selectivity of the attackers. While a broad spectrum of talented cyber security experts are doing extensive forensic examination of what's available; the unavoidable impression is that what's known will turn out to be a fraction of the whole story.
What is known raises a list of questions to which only the attackers have the definitive answers. Most important are the questions of choice:
Why choose CCleaner as the transport mechanism for the first stage payload? [Because of the extensive, well rated and established user base? Because their base would include many 32bit systems (being available since 2003, when 32bit was the norm)? Because being an antimalware product it would be more likely trusted? Because of the many trusted download sites that offer CCleaner (making the path from infected to infector harder to trace)? Because the attackers had an "in" specific to Piriform or a partner (a knowing or unwitting human agency in a position to alter the binaries)?]
Why chose 32bit systems for the initial payload? [Because they lack security chips common on later systems? Because the OS application choices are limited (with security updates no longer available)? Because these older systems are still in the networks of many government and corporate entities (where they are often marginalized - yet still connected to newer nodes)?]
Why choose a US based hosting system for the C&C and database for acquired data? [At first glance, and odd choice - as it made physical seizure (and the opportunity for forensics), easier. Are US located datacenters less carefully scrutinized, raise fewer red flags?
Those are a few of the questions we hope to have answered; and hope those answers will mitigate the damage done, and lessen the likelihood of a similar attack in the future.
AshwinDurairaj - 1 year ago
I do believe the target of CCleaner was a very well thought out one, perhaps due to the sophistication of the attack and the organisations being targeted and therefore rules out the potential opportunistic attack. However, it's possible that they tried to attack other companies for supply chain attacks and failed.
All it takes for one supply chain attack is at the very least a developer email and password which millions are probably out there. It's not very hard to do this, and the attackers could've mapped out 10s of companies in the similar sector and got all the developer emails, and tried them against various portals or companies which manage the source code/build/deployment.
Occasional - 1 year ago
Agreed: this was no target-of-opportunity attack, unless it was the first, qualified (to their requirements and agenda), opportunity from a short list of candidates.
With the sophisticated preparation (once the target was selected), they might have been thrown a curveball by the Avast takeover - might have caused them to accelerate their already in progress schedule - and that lead to server overflow and incomplete erasing of their tracks.
These guys weren't out to catch whatever would take the bait; they were after a trophy, and they got one.