Report of the COI into the Cyber Attack on SingHealth 10 Jan 2019
COI Report – Part III Page 90 of 425 “clean up” any existing files containing admin credentials. He also instructed the team to enforce stringent controls such files and the folders in which they were stored. Finally, he impressed on the team that they should take these matters seriously, and that everyone in the team had to take ownership of the issues raised. Evidently, his exhortations went unheeded, given that the batch file discussed in paragraph 266 above was created shortly after on 9 April 2017. 269. Similarly, in March 2017, Woon Lan instructed all administrators to “comb through” their files to “ensure there is no hardcoded password”. Woon Lan has explained that by “combing through”, she had in mind the administrators checking through every server. Her thinking was that if the administrators had developed such scripts, they would know where the scripts were saved on the servers. 270. IHiS’ management response, as stated in the GIA Internal Audit Report from May 2017, was that IHiS had “Completed housekeeping of scripts in the server”. Woon Lan has explained that in making this response, she meant that the specific server flagged-up in the pen-test had undergone housekeeping. However, this response was given in spite of the fact that neither Woon Lan nor Lum had taken any steps to verify if their directions above had in fact been performed by the Citrix Team across all Citrix servers. 15.7.2 The Citrix virtualisation environment was not configured adequately to prevent attackers from breaking out into the underlying operating system 271. The penetration testers uncovered that the Citrix virtualisation environment used was not configured adequately to prevent attackers from breaking out of the virtualisation and into the underlying operating system. Exploiting the vulnerability allowed the penetration testers to access files and execute arbitrary commands. CSA’s hypothesis is that this vulnerability could have been the means by which the attacker gained initial access to the file system of any of the compromised SGH Citrix servers.
