Table of contents exchange of letters with the minister executive summary


Detecting failed logins to the SCM database from Citrix Server



Download 5.91 Mb.
View original pdf
Page114/329
Date27.11.2023
Size5.91 Mb.
#62728
1   ...   110   111   112   113   114   115   116   117   ...   329
Report of the COI into the Cyber Attack on SingHealth 10 Jan 2019
22.6 Detecting failed logins to the SCM database from Citrix Server
4
400. At pm on 13 June 2018, a system-generated email alert was sent to Katherine informing her of one failed attempt at logging into the SCM database that same afternoon from another IP address which was different from the earlier observed attempts. Although Katherine did not know this at the time, this IP address was that of Citrix Server 4. The user-ID used in the failed login attempt was that of the user of Workstation A.
401. Katherine forwarded the email to Kelvin, Robin, Lum and Joanne immediately, highlighting in the email title that there was anew server involved. Further to Lum’s directions, Katherine also forwarded the email to Veerendra for investigations.
22.7 Investigations into the account used to login to Citrix Server 4
and resetting the account password
402. Having received Katherine’s second email at pm, Lum determined that the IP address was associated with Citrix Server 4, a SGH server. By reviewing the login logs to Citrix Server 4, the team found that the account belonging to the user of Workstation A was used to login to Citrix Server 4 on a few occasions, including on 13 June 2018 from VM 2. This login to Citrix


COI Report – Part IV
Page 134 of 425

Server 4 on 13 June 2018 took place a few minutes before the failed attempt to log into the SCM database from Citrix Server 4. The Citrix Team then identified the user of the account.
403. The Citrix Team provided the above information to Benjamin on 13 June
2018 itself. At pm on 13 June 2018, Benjamin asked SingHealth’s outsourced vendor for IT services to reset the user’s password, giving the reason that the credentials were being abused. At pm that same day, the vendor replied, stating that they had contacted the user and gotten his approval for the password reset, and indicating that the password reset had been carried out.

Download 5.91 Mb.

Share with your friends:
1   ...   110   111   112   113   114   115   116   117   ...   329



The database is protected by copyright ©ininet.org 2024
send message
    Main page
united states
total number
vast majority
federal government
other side
next generation
supreme court
information contained
current state
executive director
national association
middle east
east coast
general assembly
private sector
same time
west coast
united kingdom
united nations
total amount
full range
highest level
soviet union
european union
national academy