Table of contents exchange of letters with the minister executive summary



Download 5.91 Mb.
View original pdf
Page60/329
Date27.11.2023
Size5.91 Mb.
#62728
1   ...   56   57   58   59   60   61   62   63   ...   329
Report of the COI into the Cyber Attack on SingHealth 10 Jan 2019

COI Report – Part III
Page 65 of 425

14.4.9
Attempt to login to the SCM database from Citrix Server 2 on 26 June
2018
186. On 26 June 2018, a failed attempt to connect to the SCM database from
Citrix Server 2 was made using the account belonging to the user of Workstation A, from VM 2. Once again, this failed because the account was not granted access to the database.
14.4.10 Obtaining credentials of the AA. account from Citrix Server 3 on 26
June 2018
187. The events discussed in this and the following section 14.5 are summarised in the following figure
Figure 10: Obtaining credentials to the AA. account and querying the SCM
database


COI Report – Part III
Page 66 of 425

188. On 26 June 2018, the attacker remotely logged-in to Citrix Server 2 from Workstation Busing the SA. account. From Citrix Server 2, the attacker used the DA. account to access a H-Cloud Citrix server, Citrix Server 3. While there is no conclusive evidence to show this, CSA assesses that it is probable that whilst logged into Citrix Server 3, the attacker stole credentials to an account referred to in this report as the “A.A. account”. Obtaining the credentials to the AA. account allowed the attacker to cross the last-mile to the SCM server, as it could be used to make SQL queries to the database.
189. CSA’s assessment is that there was a coding vulnerability in the SCM application, and it is highly probable that this vulnerability allowed the attacker to easily retrieve the credentials of the AA. account. Further details of this vulnerability will be discussed in section 15.6 (pg 86) below.
190. The lateral movement to Citrix Server 3 was significant because credentials of the AA. account could not be obtained from the SGH Citrix Servers 1 and 2. This arose from the fact that the SGH servers were no longer being used actively to connect to the SCM database following the migration of the SCM application to H-Cloud Citrix servers in July 2017.
191. Lum has explained that connectivity between Citrix Server 2, which was an SGH server, and Citrix Server 3, a H-Cloud server, was present since June
2017 when the SCM system was migrated to the H-Cloud. The plan was to have all Citrix servers in both SGH and the H-Cloud form one logical farm, and the planned upgrade was scheduled for completion in September 2018. Only the ports that were required for the Citrix servers to communicate were left open. It was through this connection that the attacker was able to connect from Citrix Server 2 to Citrix Server 3.
192. With the credentials to the AA. account, the attacker began the Actions on Objectives phase as described in the Cyber Kill Chain, retrieving and exfiltrating patient data from the SCM database.


Download 5.91 Mb.

Share with your friends:
1   ...   56   57   58   59   60   61   62   63   ...   329



The database is protected by copyright ©ininet.org 2024
send message
    Main page
united states
total number
vast majority
federal government
other side
next generation
supreme court
information contained
current state
executive director
national association
middle east
east coast
general assembly
private sector
same time
west coast
united kingdom
united nations
total amount
full range
highest level
soviet union
european union
national academy