COI Report – Part III Page 59 of 425 14.4.3 Obtaining credentials of the LA. local administrator account 163. A local administrator account, referred to in this report as the “L.A. account”, was an account found on all the Citrix servers at the SGH data centre. The account has full administrative privileges to login to the Citrix server, including logging in interactively, and logging in remotely via RDP. The attacker obtained and used the credentials of the LA. account to login to at least two SGH Citrix servers (referred to in this report as “Citrix Server 1” and “Citrix Server 2” respectively) on multiple occasions in May and June 2018. 164. Investigations have revealed at least two possibilities of how the attacker obtained the password for the LA. account a) First, the LA. account had a weak password, ‘P@ssw0rd’, that would produce a common password hash that could easily be decrypted with free online tools. 19 Attackers who are experienced in network intrusion techniques would be familiar with the use of such weak password hashes. From the numerous domain user profiles observed in Citrix Server 1, CSA deduced that the attacker could have logged in using a domain user account, obtained the password hash of the LA. account, and then decrypted it with ease. b) Second, the credentials to the LA. account were found to be reflected in clear-text on a batch file on Citrix Server 1. It is possible that the attacker had first achieved access to the file system of the Citrix server, and then accessed this file and obtained the credentials. 18 An interactive login is a process whereby the user gains access to the network by entering a username and password in response to a dialog box on the local console. Using a publicly available online tool, CSA was able to decrypt the password hash within seconds to reveal the actual password in plaintext.
