COI Report – Part III
Page
64 of
425 Citrix Server 2 182. On 13 June 2018, the attacker used a compromised
local service account, the SA. account, to remotely login to Citrix Server 2, which was an SGH Citrix server. VM 1 was used to login to Citrix Server 2, and these were not legitimate logins.
183. In the afternoon of 13 June 2018, a number of failed attempts were made to login to the SCM database from Citrix Server 2. These attempts failed because invalid user-IDs were used. In one attempt, the server name fora H-Cloud Citrix server (referred to in this report as “
Citrix Server 3”), was used as a user-ID. Other attempts were made using the invalid user-IDs.
184. Later in the afternoon of 13 June 2018, another round of failed attempts was made to login to the SCM database from Citrix Server 2. Again, the server name for Citrix Server 3 was used as a user-ID in one attempt. The user-ID in another attempt was the name of a service account which would not ordinarily be used for the purposes of logging into the SCM database.
In yet another attempt, the attacker used a user-ID that it had used in a prior attempt to connect to the SCM database from Citrix Server 1 on 12 June 2018.
Citrix Server 4 185. In the afternoon of 13 June 2018, after the attempted logins from Citrix Server 2, the attacker used the account belonging to the user of Workstation A to remotely login to another SGH Citrix server (referred to in this report as
“Citrix Server 4”) from VM 2.
A few minutes later, the attacker attempted to access the
SCM database from Citrix Server 4, but this failed because the account used was not granted access to the SCM database.
