On January 10th, 2019, the Committee of Inquiry (COI) published its public report detailing the now-infamous SingHealth hack incident.

This 453-page report is already a difficult read for most security practitioners and, as long and exhaustive as it looks, the most determined readers amongst us might still feel unsatisfied by its lack of details on some of the attack’s critical steps.

We provide here, in layman’s words, a description of the incident. We also try to bridge the information gaps to provide a clearer description of the attackers’ moves. While these deductions are not proven, cyber-criminals’ modus operandi are predictable enough to consider them probable.

We will follow up on this article in the coming days to provide an analysis of what organizations can do to prevent this disaster from happening in the first place. And, in the unfortunate case that it may be too late, we will also discuss the most common options with regard to remediation steps and discuss whether they seem appropriate or not.

What happened

While the aftermath of the attack is still uncertain, its sheer size only is sufficient to bring quite a little anxiety to Singapore’s citizens: 1.5 million personal records, plus the prescription details of 160,000 patients, including those of Prime Minister Lee Hsien Loong, have leaked to an unknown criminal.

As for attribution, the COI seems convinced perpetrators are state-sponsored operators. As a matter of fact, some of the attack techniques used, as well as the persistent approach utilized, clearly set the attackers out of your usual low-tech hit-and-run hackers’ crowd.

Considering potential targets, and albeit the fact that millions or records have effectively leaked, it seems probable that this operation targeted specifically the private medical records of Prime Minister Lee Hsien Loong. It should be noted that the Prime Minister’s Office publicly released in 2015 a statement on PM Lee Hsien Loong being diagnosed with a prostate cancer. Whether the attackers were looking for embarrassing details to be used as leverage is unknown but cannot be excluded.

After their initial reconnaissance, on which we naturally have no information, the operatives sent booby-trapped emails to SingHealth employees. The trap consisted in a malicious attachment capable of exploiting a known Outlook vulnerability. When opened, the attachment dropped a rogue program on the victims’ systems, matter-of-factly providing full control to the attackers over the targeted computers.

There is not much to be said on this initial approach. While all organizations constantly do their best to detect those patient-zero infections, this will remain a cat-and-mouse game for the foreseeable future and SingHealth is not to be blamed for suffering such a breach, particularly considering the nature of its opponent.

Hardly harmful, this initial touchdown aimed at providing the attackers with the ability to explore SingHealth’s IT infrastructure from within. And as with the vast majority of sophisticated attacks, the actual IT target of the hackers was SingHealth’s Active Directory infrastructure. Owning your victim’s AD systematically signs the end of the game: with full control over all IT resources, there is not much an attacker cannot access.

In the SingHealth case, it is not entirely clear how the Active Directory was compromised. Though considering common industry practices, and details provided in the report, we can safely assume they followed either one of the following courses of actions:

They managed to get local administration privileges on the workstation they compromised and then dumped local passwords, amongst them those of a local Windows administrator. They could then have used these credentials to propagate to other machines sharing the same local accounts (the so-called “master effect”). This would imply that network authentication for local accounts was not disabled, which is a known security vulnerability. Eventually they might have ended up on a computer holding the credentials of a privileged user such as a domain administrator, thus gaining effective control over the whole Active Directory.

They used the current user’s credentials (supposedly unprivileged) to propagate but did not get elevated privileges from it. As the report suggests though, they might have used weak passwords or clear-text passwords found in network shares to directly authenticate into more-privileged accounts. Which is of course in itself quite a vulnerability. Re-using those accounts, they might have ended up on a computer holding the credentials of a privileged user such as a domain administrator, thus gaining effective control over the whole Active Directory.

The rest of the attack simply consisted of using legitimate accounts to query databases and scout resources, like you would on your own systems, until they found what they were looking for.

Photo by rawpixel on Unsplash

From Active Directory, with love

This attack sheds yet again a somber light on the state of insecurity of Active Directory infrastructures. There is no doubt that the AD was the primary IT target of the attackers.

In this respect, the SingHealth incident is only the latest sorry example of a long list of operations that became truly successful when and only when they gained access on their victim’s Active Directory: Aurora, Target, Sony, Carbanak, NotPetya, the list goes on.

Active Directory infrastructures remain the nexus point of everything that electronically-matters in organizations but are still dangerously ignored by security operators. In their defense, the size, complexity and volatility of a given AD makes it a singular security challenge. Still, it remains very concerning to witness how our industry underestimates the risks it incurs on global security.

In our next article, we will provide an analysis of what organizations can do to prevent this type disaster in the first place, notably regarding the protection and monitoring of their AD infrastructure. We will constructively criticize the most common security practices for Active Directory and will review potential remediation approaches for those organizations that are in the unfortunate position of having to recover from such an incident.