COI Report – Part V
Page
194 of
425 (b) The second level was scheduling changes to the passwords of all the privileged
and database application IDs, and host IDs, which was completed by 19 July 2018.
32.3.3 Cleaning-up of network-based IOCs, instituting of firewall rules, and reloading of Citrix servers 615. IOCs (indicators of compromise) discovered by CSA in the course of their forensics and malware analyses were incorporated into IHiS’ corporate antivirus system from 17 July 2018. From 13 July 2018, the IHiS network team also created firewall rules to block off malicious callbacks to the C servers identified by the CSA analyst team.
CSA also shared the identified IOCs with the other CII Sector Leads for dissemination to their CII owners, so that they could scan for similar infections.
616. Upon discovery that the SGH Citrix server had been used by the attacker
to access the SCM database, the IHiS network team added firewall rules to block access from the SGH Citrix servers to the SCM database on 11 July 2018.
617. However, as it was not possible to ascertain through detailed forensic examination whether each Citrix server was compromised (nearly a thousand such servers were running in the HDC), IHiS set out to reload each of the Citrix servers in the HDC Citrix server farm with a clean image on 14 and 15 July 2018. This ensured that no compromised Citrix server was left running after the clean images were reloaded. All Citrix servers were fully refreshed by 16 July 2018.
32.3.4 Disabling of PowerShell on endpoints 618. After learning from CSA that the attacker had made use of PowerShell
malware in the attack, IHiS disabled PowerShell on 13 July 2018 on all end-user machines.
Share with your friends: 
