SingHealth cyber attack Flashcards
SingHealth data breach 3 effects overview
- personal info of mass public leaked
- personal info and outpatient med records of PM leaked
- outpatient med records of mass public leaked
Key events of SingHealth databreach(8)
- Attacker infected workstations through phishing, dormant before lateral movement to Citrix servers and SCM DB
- Remote connection to SGH Citrix servers
- IHIS IT admin noticed unauthorised and failed attempts to access SCM DB
- Attacker querying SCM DB
- Suspicious queries were spotted, terminated and measures put in place to prevent further queries
- Only a select few knew about incident and not brought up to senior management and big govt orgs until later
- Joint investigations by IHIS and CSA
- Public announcement via SMS
purpose of joint investigations
contain existing threat
eliminate attacker foothold
prevent recurrence of attack
- implemented internet surfing separation
Key Findings of SingHealth cyber attack(5)
1.lack of cybersecurity awareness and proper response
2.failed to take effective and timely response
3.Vulnerabilities not remedied before attack
4. Attack was skilled and sophisticated
5. Cyber defence will never be impregnable but attack was not inevitable
Attacker was sophisticated(4)
1.clear goal
2.Advanced Tools/tactics/procedures
3.Persistent, multiple footholds and backdoors
4.extensive command and control network
What could have been done to stop the attacker(6)
- Staff training
- Regulated remote internet access
- 2FA
- Strong passwords and enforcement
- vulnerabilites fixed immediately
- inactive email accounts removed immediately to reduce attack surface area
Cyber Kill Chain Framework (RWDEICA)
Reconnaissance
Weaponisation
Delivery
Exploitation
Installation
Command and Control
Action on objectives
Malicious artefacts in SingHealth attack(4)
- log file from malware with plaintext passwords
- Hacking tool with persistence, attacker can do brute force attackers, access mail exchange servers, used as hidden backdoor for reentry
- RAT1:executing of shell scripts remotely
- RAT2: not detected by standard anti virus
Other vulnerabilities in SingHealth attack(2)
1.Old Outlook version
2. masqueraded malicious powershell scripts
Types of SQL queries on SCM DB(3)
1.Reconnaissance of schema
2. Direct queries on individuals
3. Bulk queries on patients
Flow of data out to attacker in SingHealth data breach(4steps)
- SCM DB sever
- Citrix Server
- Workstation
- C2 servers
Factors causing SingHealth Cyber attack(5)
- Network connections between SGH Citrix servers and SCM DB
- Lack of monitoring SCM DB for unusual queries and access, DAM solutions not implemented
- SGH Citrix servers can be logged into without 2FA, vulnerability used for convenience, lack of firewalls, no real time vulnerability analysis
- Internet connectivity in IT network increased attack surface, avenue of entry and exit
- Outdated Outlook version
7 Important COI committee recommendations
- Enhanced security structure and readiness
- Cyber stack needs reviewing
- Staff need better cybersecurity awareness
- Enhanced security checks: vulnerability assessments, certification of vendor products, penetration testing
- Privileged admin accounts tighter control and monitoring: 2FA, passphrases, enforced password policies,
- Better incident response processes
- Partnerships between industry and govt
Other COI committee recommendations(9)
(pics radur)
- Regular serious risk assessment/audit
- Enhanced safeguards to protect electronic medical records
- Domain controllers better secured
- Robust patch management process
- Software upgrading policy on security
- Internet access strategy limiting exposure
- Better incident response plans
- Improved competence of incident response personnel
- Post breach forensic review of network, endpoints and SCM system
Personal security(4)
- Back up data
- Not daisy chain accounts
- Not use same email prefix across multiple accounts
- Recovery address
