ATT&CKing the Singapore Health Data Breach

Background

Between August 2017 and July 2018 a suspected APT group gained access to the Singapore Health Services Private Limited (SingHealth) patient database and exfiltrated the personal details of 1.5 million patients including their names, addresses, genders, races, and dates of birth. Of this, 159,000 patients had additional medical data stolen including the Prime Minster of Singapore.

On 10 January 2019, a report titled 'Public Report of the Committee of Inquiry into the Cyber Attack on Singapore Health Services Private Limited’s patient database on or around 27 June 2018' was released containing detailed information in regards to the hack and the subsequent incident response activities.

The report provides a detailed overview of the movements of the attacker throughout the network and the known actions taken by the group to gain entry, move laterally, steal credentials, access the crown jewels and ultimately exfiltrate a significant amount of sensitive data.

An excellent graphical summary is located in the report as follows:

[overview-of-breach

ATT&CKing the report

ATT&CK stands for Adversarial Tactics, Techniques, and Common Knowledge. It is a knowledge base of adversarial techniques. These techniques are organised under a framework of tactics: Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral Movement, Collection, Exfiltration, and Command and Control.

By combining the report information and mapping ATT&CK techniques we can observe where the attack could have been identified. We can then apply this to our own networks and ultimately learn from this data breach to strengthen ourselves.

In order to maintain accuracy, I will be quoting directly from the report referenced above and from the ATT&CK knowledge base. Due to the flow of the report and the style of breach, some tactics will be grouped together.


Initial Access & Execution

The initial access tactic represents the vectors adversaries use to gain an initial foothold within a network.

Execution represents techniques that result in execution of adversary-controlled code on a local or remote system. This tactic is often used in conjunction with initial access as the means of executing code once access is obtained.

Key Report Quotes:

'...while not conclusive, there is some evidence to suggest that the initial intrusion was through a successful phishing attack, which led to malware being installed and executed on the workstation...The publicly available hacking tool was installed on Workstation A on 1 December 2017 by exploiting a vulnerability in the version of Microsoft Outlook...' (p. 54 & 55)

'The tool was thus successfully installed and was used to download malicious files onto Workstation A. Some of these files were masqueraded as .jpg image files, but in fact contained malicious PowerShell scripts, one of which is thought to be a modified PowerShell script taken from an open source post-exploitation tool.' (p. 55)

'With the introduction of the hacking tool and RAT 1 in December 2017, the attacker gained the capability to execute shell scripts remotely, as well as to upload and download files to Workstation A.' (p. 56)

Identified ATT&CK Techniques:

T1193 - Spearphishing Attachment OR T1192 - Spearphishing Link (see update below)
T1078 - Valid Accounts
T1086 - PowerShell
T1204 - User Execution
T1137 - Office Application Startup
T1064 - Scripting

Comment:

Phishing is split into multiple categories in ATT&CK including: Spearphishing Attachment and Spearphishing Link.

ATT&CK states: 'Adversaries frequently manipulate file extensions and icons in order to make attached executables appear to be document files, or files exploiting one application appear to be a file for a different one.'

The malware noted above has been suggested to exploit CVE 2017-11774 and assessed to use a publicly available tool, Ruler. Where Ruler fits in to the ATT&CK framework is a bit murky because it is both persistence and the shell. I have included T1137; however, the notes on the ATT&CK knowledge base don't mention this kind of technique.

14/01/2019 UPDATE

The phishing vector has been changed to Valid Accounts. Nick Car (@itsreallynick) corrected me as follows: 'I also personally don't believe there was any phishing here. Singapore Health report mentioned they couldn't pin down initial infection and assumed it was phish.'

He pointed me to their blog detailing FireEye expierence with the Ruler exploit:

'FireEye has observed and documented an uptick in several malicious attackers' usage of this specific home page exploitation technique. Based on our experience, this particular method may be more successful due to defenders misinterpreting artifacts and focusing on incorrect mitigations. This is understandable, as some defenders may first learn of successful CVE-2017-11774 exploitation when observing Outlook spawning processes resulting in malicious code execution. When this observation is combined with standalone forensic artifacts that may look similar to malicious HTML Application (.hta) attachments, the evidence may be misinterpreted as initial infection via a phishing email. This incorrect assumption overlooks the fact that attackers require valid credentials to deploy CVE-2017-11774, and thus the scope of the compromise may be greater than individual users' Outlook clients where home page persistence is discovered.'


Persistence

Persistence is any access, action, or configuration change to a system that gives an adversary a persistent presence on that system.

Key Report Quotes:

'A variety of custom web shells, tools, and unique malware were used in the attack...Remote Access Trojans, such as the abovementioned RAT 1 and RAT 2, were used to provide the attacker with full control over specific infected systems and to serve as backdoors to re-enter the network.' (p. 93

'IHiS’ investigations revealed that the attacker had gained administrative privileges and moved across the network to access the Citrix servers. This was an indication that the KRBTGT account could have been compromised.' (p. 192)

Identified ATT&CK Techniques:

T1137 - Office Application Startup
T1078 - Valid Accounts
T1097 - Pass the Ticket

Comment:

The report does not detail any specific persistence mechanisms other than the exploited Outlook vulnerability that allowed the actor to drop further malware and enabled remote access. This malware (unnamed RATs) then simply stole/dumped credentials which allowed them to use valid accounts to move throughout the network.

The KRBTGT account was reset twice as per standard practice on the assessment that it had been compromised.


Privilege Escalation & Credential Access

Privilege escalation is the result of actions that allows an adversary to obtain a higher level of permissions on a system or network.

Credential access represents techniques resulting in access to or control over system, domain, or service credentials that are used within an enterprise environment. Adversaries will likely attempt to obtain legitimate credentials from users or administrator accounts to use within the network.

Key Report Quotes:

'The log file was a remnant file from a known malware which has password dumping capability.' (p. 55)

'Investigations have revealed at least two possibilities of how the attacker obtained the password for the L.A. account...Second, the credentials to the L.A. account were found to be reflected in clear-text on a batch file on Citrix Server 1. It is possible that the attacker had first achieved access to the file system of the Citrix server, and then accessed this file and obtained the credentials.' (p. 59)

'CSA has observed that the attacker could have acquired the credentials to the [service account] account through the malware it used.' (p. 60)

'CSA’s analysis of the SCM application showed that there were signs of insecure coding practices, giving rise to a vulnerability that was likely exploited by the attacker to obtain the credentials to the A.A. account.' (p. 86)

'The FY16 H-Cloud Pen-Test revealed that administrator credentials were found in network shares. A Citrix administrator password was also found in a Windows batch file. The implication of this was that attackers having access to such files, or with physical or network access to shared folders, could read this sensitive information and further use it to perform enhanced focused attacks.' (p. 89)

'The penetration testers uncovered that the Citrix virtualisation environment used was not configured adequately to prevent attackers from breaking out of the virtualisation and into the underlying operating system. Exploiting the vulnerability allowed the penetration testers to access files and execute arbitrary commands. CSA’s hypothesis is that this vulnerability could have been the means by which the attacker gained initial access to the file system of any of the compromised SGH Citrix servers...the vulnerability continued to be exploitable for the SGH Citrix servers at the time of the Cyber Attack' (p. 90 & 91)

Identified ATT&CK Techniques:

T1078 - Valid Accounts
T1081 - Credentials in Files
T1003 - Credential Dumping
T1068 - Exploitation for Privilege Escalation

Comment:

Whether or not the local administrator password was accessed from the batch file is moot as the password was 'P@ssw0rd', which would have been cracked almost immediately.

What is most interesting is that the attackers likely exploited a coding vulnerability to access the so-called AA account. This AA account was the 'last mile' that allowed them to access the medical records.


Defensive Evasion

Defense evasion consists of techniques an adversary may use to evade detection or avoid other defenses.

Key Report Quotes:

'The Citrix system event log for Citrix Server 1 was also deleted in the evening of 11 June 2018... The deletion was not performed by any IHiS staff. It was presumably done by the attacker to cover its tracks.' (p. 62 & 63)

'The Citrix Team also discovered on 26 June 2018 that the Windows event logs for Citrix Servers 2 and 3 were deleted earlier that afternoon. This was further evidence of malicious activity.' (p. 147)

'...during the incident response, malware samples were given a cybersecurity company to develop malware signatures. The firm’s software was initially unable to detect the samples as being malicious. After CSA shared their initial malware analysis findings with the company, it was able to develop malware signatures in their antivirus solution for mass network-wide scanning.' (p. 93)

The attacker employed advanced tactics, techniques, and procedures, as seen from the suite of advanced, customised and stealthy malware used...the attacker was conscientious in erasing logs on compromised workstations and servers. Notably, the attacker even re-entered the network after being detected, to erase system and program logs.' (p. 95)

Identified ATT&CK Techniques:

T1070 - Indicator Removal on Host
T1066 - Indicator Removal from Tools

Comment:

ATT&CK notes that, '...adversaries performing actions related to account management, account logon and directory service access, etc. may choose to clear the events in order to hide their activities.'

In regards to the malware, the report notes that it wasn't picked up on the AV. This leads to the hypothesis that the attackers knew what sort of AV was deployed and potentially modified malware to suit the environment and circumvent AV detection. This in itself is another technique (T1063) Security Software Discovery.


Discovery & Lateral Movement

Discovery consists of techniques that allow the adversary to gain knowledge about the system and internal network.

Lateral movement consists of techniques that enable an adversary to access and control remote systems on a network

Key Report Quotes:

'Evidence of the attacker’s lateral movements was found in the proliferation of malware across a number of endpoints and servers...There was also evidence of PowerShell commands used by the attacker to distribute malware to infect other machines, and of malicious files being copied between machines over mapped network drives. These were clear indicators that the attacker had moved laterally around the network.' (.p 57)

The '...reconstruction of events show that the attacker had moved laterally using RDP to remotely access multiple SGH Citrix servers. This was done from compromised workstations and suspected virtual machines, and by using compromised user credentials.' (p. 77)

Identified ATT&CK Techniques:
T1105 - Remote File Copy
T1086 - PowerShell
T1076 - Remote Desktop Protocol

While not specific, the report identifies 'Remote File Copy' and 'Powershell' as two techniques that are noted in ATT&CK. In regards to Remote File Copy, '[a]dversaries may also copy files laterally between internal victim systems to support Lateral Movement with remote Execution using inherent file sharing protocols such as file sharing over SMB to connected network shares...'

In regards to RDP, ATT&CK notes, '[a]dversaries may connect to a remote system over RDP/RDS to expand access if the service is enabled and allows access to accounts with known credentials.'


Collection, Exfiltration & Command and Control

Collection consists of techniques used to identify and gather information, such as sensitive files, from a target network prior to exfiltration.

Exfiltration refers to techniques and attributes that result or aid in the adversary removing files and information from a target network.

Command and Control represents how adversaries communicate with systems under their control within a target network.

Key Report Quotes:

'From 27 June to 4 July 2018, the data was exfiltrated by the attacker via Workstation A to the attacker’s C2 servers...' (p. 68)

'...the C2 servers were used for...Infection: where the server is used as a means of dropping malware into the system it is trying to infect...Data exfiltration: there were indications of technical data (and not medical records) being sent to the servers and...Beacon: infected machines may have connected to C2 servers to establish a ‘heartbeat’ (p. 94)

Identified ATT&CK Techniques:

T1074 - Data Staged
T1041 - Exfiltration Over Command and Control Channel

Comment

The report is a bit thin on the more sensitive parts including the C2 infrastructure. ATT&CK notes in T1041, 'Data exfiltration is performed over the Command and Control channel. Data is encoded into the normal communications channel using the same protocol as command and control communications.' The report does not state if the protocol and encoding was the same between the C2 commands and exfiltration.


Summary

A total of 16 ATT&CK techniques were identified from a (non-comprehensive) review of the report.

T1193 - Spear phishing Attachment (unlikely - see update above)
T1192 - Spear phishing Link - (unlikely - see update above)
T1086 - PowerShell
T1204 - User Execution
T1137 - Office Application Startup
T1064 - Scripting
T1078 - Valid Accounts
T1097 - Pass the Ticket
T1081 - Credentials in Files
T1003 - Credential Dumping
T1068 - Exploitation for Privilege Escalation
T1070 - Indicator Removal on Host
T1066 - Indicator Removal from Tools
T1076 - Remote Desktop Protocol
T1074 - Data Staged
T1041 - Exfiltration Over Command and Control Channel

So how can this be used? Well, the best place to start is with experts. I'd recommend watching the following presentation by Steve Motts and Christian Kopacsi which explains why ATT&CK is so important and how to strengthen your defence by using ATT&CK:



Following that, some useful links and information is referenced at SneakyMonkey's Blue Team Tips here.

Final Caveat

The report is 425 pages, and presumably doesn't cover all the information. I've probably skipped some important bits. However, that's not the main purpose of this post (although the breach itself is very interesting). What is important is that there are at least 16 identified ATT&CK techniques from this breach alone. So while these reports are interesting, don't dismiss them as not relevant to your environment - using the ATT&CK knowledge base means that we can learn from these real-world examples.

As usual, if you have any comments, corrections or issues, drop me a line at matt@bitofhex.com or via Twitter at @mattnotmax. Thanks for reading!