The table shows the complete list of infected hosts:Īs apparent, the most infected bots are 13 computers located on the network of Taiwan based ISP Chunghwa Telecom and the company ranked second on the list with ten computers is a Japan-based IT firm NEC while the third on the list is Samsung with five computers. This, however, contradicts the company’s previous statement and that of investigation firm Cisco, which claimed that 20 PCs were affected with second-stage malware. The infected version of CCleaner was downloaded by more than 2.27 million users out of which only 40 PCs were delivered the second-stage malware, claimed Avast. This refers to the fact that Avast and law enforcement has obtained the full list of infected hosts apart from the 40 hour period including the affected PCs with the first and second stage payloads. It was also noted that the server’s database only contained information about user infections that occurred between 12 Sep and 16 Sep after which the hackers installed another server, which was seized by Avast on 15 Sep. The second-stage payload was delivered to 40 unique PCs. 5,686,677 connections linked with the C&C server while the number of unique MAC addresses communicating with the C&C server was 1,646,536. However, it is not yet clear how the C&C server behaved during this period.Īccording to the findings, there were approx. This refers to the timeline between the crashing of the original C&C database and the creation of the new database. When the backup server was accessed, the complete database was found but only the data between 19:03:-09-12 9:58:47 UTC was missing. Avast further revealed that a MySql database was containing the data from August 18. This server featured the same self-signed SSL certificate and had a usual LAMP configuration (CentOS release 6.9 with Apache 2.2.15, PHP 5.3.3) stack-wise. The blog post noted that the IP address of the second server was identified to be 216.126.225.163. The investigation was conducted by the Threat Labs team from Avast and US law enforcement officials collectively. However, latest report uploaded on 25 Sep., Avast’s Threats Labs Team explained that after further investigation it was learned that the attackers managed to back up the data from the crashed C&C server to a second server before rebuilding the database. Initially, Avast claimed that the incident happened because one of the servers ran out of disk space on Sep 10, due to which the operator had to rebuild the database fully. That is, despite the fact that CCleaner is a consumer product, the purpose of the attack was not to attack consumers and their data instead, the CCleaner customers were used to gain access to corporate networks of select large enterprises.” “Analysis of the CnC server showed that the incident was, in fact, an Advanced Persistent Threat (APT) attack, targeting specific high-tech and telecommunications companies. The list was compiled after the company discovered a second server database, which was used by the malware in CCleaner to send information to attackers about the infected hosts.Īvast has narrated the details of the attack in its official blog post that reads: The company has been busy in investigating the issue of the presence of malware in its very popular and widely used CCleaner tool. Now, Avast has finally revealed the complete list of organizations affected by the second stage CCleaner malware in its newest update published last Friday. An initial investigation showed it was a state-sponsored attack. Last week news came out that CCleaner software was infected with a backdoor.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |