COI Report – Part IV
Page
131 of
425 389. Katherine surmised that the failed attempts at logging into the SCM database were evidence of someone attempting to gain unauthorised access to the
SCM database. At pm, Katherine forwarded it to Kelvin,
Robin and Lum, with the subject of her email being “
Login failed – new server.’, and with the IP address of Citrix Server 2 in the body text. Second series of failed logins
390. At pm on 13 July 2018, another system-generated email alert was sent to Katherine, informing her of a few more failed logins to the SCM database over a short period of time earlier that day. Once again, all the attempts were made from Citrix Server 2.
391.
In one attempt, the server name for Citrix Server 3 was again used as a user-ID. The user-ID in another attempt was the name of a service account which would not ordinarily be used for the purposes of logging into the SCM database. In yet another attempt, the attacker used a user-ID that it had used in a prior attempt to connect to the SCM database from Citrix Server 1 on 12 June 2018.
392. Katherine was of the view that “
these failed login attempts were even more unusual as compared to the others”, and when she saw these errors, coupled with her knowledge of all the other failed login attempts, she realised that someone was repeatedly trying to gain unauthorised access to the SCM database. She forwarded these alerts to Lum as well.
Lum’s
reply at pm 393. Upon receiving Katherine’s pm email, Lum identified the hostname of Citrix Server 3 to be that of a H-Cloud Citrix server. He also identified the IP address from which the attempted logins to the SCM database were made as being associated with Citrix Server 2. Lum checked the login logs for Citrix Server 2, and ascertained that (i) VM 1 was logged into Citrix Server 2 at the time of the failed logins to the SCM database, and (ii) the account used to login to Citrix Server 2 was the SA. account.
