Report of the COI into the Cyber Attack on SingHealth 10 Jan 2019
COI Report – Part III Page 91 of 425 272. In relation to this vulnerability, IHiS had indicated in its management response that it would lock down the Citrix server farm. However, the lock down was only carried out for the new Citrix farm in H-Cloud, and not for the SGH LDC. This meant that the vulnerability continued to be exploitable for the SGH Citrix servers at the time of the Cyber Attack. 15.7.3 Observations on the remediation of vulnerabilities identified in the FY16 H-Cloud Pen-Test 273. The FY H-Cloud Pen-Test was conducted in early 2017, and a number of vulnerabilities were identified. The vulnerabilities identified by the penetration testers should have been remediated at the time of the Cyber Attack, given that IHiS had been informed of the observations from the penetration test as early as March 2017, well before the various weaknesses were exploited in the Cyber Attack. Unfortunately, the remediation process undertaken by IHiS was mismanaged and inadequate, as is evident from the findings on issues such as(i) weak domain/privileged users passwords (ii) administrator credentials found on network shares (iii) poor network segregation for administration access and (iv) the Citrix environment compromise issue. 274. To make matters worse, some issues were reported by the management of the IHiS Infrastructure Services Division at the time (e.g. the Citrix Team, led by Lum and the Data Centre Services Tower Lead, Woon Lan, and Security Services Tower Lead, Ernest) to the GIA as having been resolved by the time the Internal Audit Report was published on May 2017, without first taking steps to verify if they were in fact resolved, or considering carefully if the steps taken were adequate. Clear examples are the cases involving weak domain/privileged users passwords, and administrator credentials found on network shares, where the remediation that was done for these items were limited to the particular accounts or servers that were identified by GIA, and no thought was given to implement the same measures on all other local accounts and across all other Citrix servers. 275. In spite of the inadequacy of the measures taken, these audit items were marked in the Internal Audit Report as having been completed. The Internal
