https://www.trustwave.com/Resources...-the-SingHealth-Breach/#.W1vpVW0ZVmQ.linkedin
https://pastebin.com/1YFYJEzq
New Indicators Suggest Penetration Vectors and Earlier Dates for the SingHealth Breach
July 28, 2018
Posted By SpiderLabs
The Trustwave SpiderLabs team has found additional information that we believe may be associated with the recent SingHealth breach. You can read a summary of the breach in a previous post, but as a quick summary, Singaporean authorities announced on July 20th 2018 that the country's largest healthcare group, SingHealth, was compromised. The breach resulted in the loss of about 1.5 million patients' records which included information such as name, NRIC number, address, gender, race and date of birth. About 160,000 of these patients also had their outpatient prescriptions records stolen. According to the official account, the compromise persisted from between June 27 to July 4, 2018, but this information we discovered and explore here suggests that at least some reconnaissance and potentially access was established a few weeks earlier than that, maybe as early as June 9th.
Following the breach in SingHealth, we conducted some research which found some additional fragments of evidence which may be associated with this compromise. Our team discovered two separate Pastebin posts that appear to represent database access to SingHealth. One listed an exception log from a Java server while the other represented SQL queries..
May 24th, 2018
A Java exception trace was posted to Pastebin on May 24th, 2018 and several things stood out with this specific post.
The query was for delegating access to a database in SingHealth Headquarters (SHHQ) (see Fig 1). It attempts to delegate database control access from a Senior Manager in the Medical Technology Office of Singapore Health Services (see Fig 2) to an employee of a large Singaporean IT contractor, CTC (see Fig 3). The name of the IT contractor matches a LinkedIn account of an IT analyst that may work for a subcontractor for CTC (see Fig 4). It could be that the attacker had already compromised and controlled this contractor's user account and was able to use it to manipulate the SingHealth database.
The delegation request was set for the dates June 9 until June 17 this year. Employee names have been obscured in the pictures below to protect victim identities.
Figure 1: A portion of the Pastebin Java exception log
Figure 2: Contact information for the email referenced in the log
Figure 3: CTC Singaporean IT consultants
Figure 4: Potential IT contractor for CTC
You can also see in the request that the contact numbers have been faked and read "97865432" for both parties. This is just two swapped digits from a "98765432" countdown perhaps to avoid filtering for commonly faked fields.
Other parts of the same exception log indicated that the attackers were targeting the "portaldev" database. It is conceivable that the development environment server was not as well protected as the production server and therefore was an easier target. Finally, you can also see that the error listed in this log was that the 'delegatorID" was set to NULL (See Fig 5). Despite the large number of parameters listed, this was the only error. This show the sophistication and skill of whomever uploaded the log and if this was the only error they ran into, it was easily addressed.
Figure 5: A portion of the Pastebin Java exception log
Here is a more complete section of the exception log for those that want to follow the parameters.
Figure 6: More complete section of the exception log
June 15th, 2018
Our team also discovered some SQL queries on Pastebin uploaded on June 15th. This date sits in the middle of the period set in the May 24th delegation request (June 9 until June 17) and also contains information related to SingHealth.
Figure 7: A portion of the Pastebin SQL queries uploaded on June 15th
The queries reference not just SingHealth but also NHG – The Singaporean National Healthcare Group. You can also see in the query above that they are looking to eliminate returning records associated with "Dental Surgery" (WHERE `Sub-Specialty` <> "Dental Surgery") while including specifically records that allow "Direct Access" and "Direct Admit" (`Ref. Type`IN ("Direct Access P", "Direct Admit P")). This would make sense for someone looking for more sensitive information than you might get from dental patients, while focusing on patients that are given direct access or admittance, which might be reserved for high profile patients that are permitted to "skip the line".
In addition, the class types referenced in the portion of the query that reads "Class IN ("A", "AP", "ARF", "B1", "B1P", "B1RF", "B2RF", "CRF", "NR", "PTE", "PTEP", "PTRF")" references valid medical class types (see Fig 5). Two queries listed in the Paste separate the records between "Private" client classes and "Subsidized" perhaps to further focus on potentially high profile cases.
Figure 8: Table of medical class types taken from: https://www.ncbi.nlm.nih.gov/pmc/articles/PMC5427184/
Finally, this query was recently removed from Pastebin, which would match with someone trying to cover their tracks.
Figure 9: This Pastebin post is no longer available
Now it's fair to say that these sorts of things are commonly posted to Pastebin as developers often share error logs and queries with each other for troubleshooting purposes, so we can't know for sure who uploaded this content to Pastebin or why. However there are three likely scenarios.
The first is that the attackers themselves uploaded the queries in order to share the code with collaborators for troubleshooting purposes.
The second scenario is that an internal developer uploaded the data as they discovered the breach in their exception logs and proceeded to share the information for troubleshooting.
The third scenario is that it has nothing at all to do with the compromise and was simply exception logs uploaded by an internal developer for their own troubleshooting purposes. If this were the case, it is still interesting due to the close timing to the actual breach. If attackers were looking for a way into SingHealth or NHG, stumbling upon this random Pastebin post would be a goldmine of information.
So while we cannot know for certain if these findings are directly related to the SingHealth compromise, the combination of suspicious items occurring directly within the attack window are highly suspicious. Within less than two months prior to and during the official attack window, we have identified the following:
Credit: Thanks to Nikita Kazymirskyi, Anat Davidi, Ziv Mador, Karl Sigler, Brian Hussey, and Jeremy Batterman for their contributions to this research and post.
Tags: Incident Response, Security Research
https://pastebin.com/1YFYJEzq
New Indicators Suggest Penetration Vectors and Earlier Dates for the SingHealth Breach
July 28, 2018
Posted By SpiderLabs
The Trustwave SpiderLabs team has found additional information that we believe may be associated with the recent SingHealth breach. You can read a summary of the breach in a previous post, but as a quick summary, Singaporean authorities announced on July 20th 2018 that the country's largest healthcare group, SingHealth, was compromised. The breach resulted in the loss of about 1.5 million patients' records which included information such as name, NRIC number, address, gender, race and date of birth. About 160,000 of these patients also had their outpatient prescriptions records stolen. According to the official account, the compromise persisted from between June 27 to July 4, 2018, but this information we discovered and explore here suggests that at least some reconnaissance and potentially access was established a few weeks earlier than that, maybe as early as June 9th.
Following the breach in SingHealth, we conducted some research which found some additional fragments of evidence which may be associated with this compromise. Our team discovered two separate Pastebin posts that appear to represent database access to SingHealth. One listed an exception log from a Java server while the other represented SQL queries..
May 24th, 2018
A Java exception trace was posted to Pastebin on May 24th, 2018 and several things stood out with this specific post.
The query was for delegating access to a database in SingHealth Headquarters (SHHQ) (see Fig 1). It attempts to delegate database control access from a Senior Manager in the Medical Technology Office of Singapore Health Services (see Fig 2) to an employee of a large Singaporean IT contractor, CTC (see Fig 3). The name of the IT contractor matches a LinkedIn account of an IT analyst that may work for a subcontractor for CTC (see Fig 4). It could be that the attacker had already compromised and controlled this contractor's user account and was able to use it to manipulate the SingHealth database.
The delegation request was set for the dates June 9 until June 17 this year. Employee names have been obscured in the pictures below to protect victim identities.
Figure 1: A portion of the Pastebin Java exception log
Figure 2: Contact information for the email referenced in the log
Figure 3: CTC Singaporean IT consultants
Figure 4: Potential IT contractor for CTC
You can also see in the request that the contact numbers have been faked and read "97865432" for both parties. This is just two swapped digits from a "98765432" countdown perhaps to avoid filtering for commonly faked fields.
Other parts of the same exception log indicated that the attackers were targeting the "portaldev" database. It is conceivable that the development environment server was not as well protected as the production server and therefore was an easier target. Finally, you can also see that the error listed in this log was that the 'delegatorID" was set to NULL (See Fig 5). Despite the large number of parameters listed, this was the only error. This show the sophistication and skill of whomever uploaded the log and if this was the only error they ran into, it was easily addressed.
Figure 5: A portion of the Pastebin Java exception log
Here is a more complete section of the exception log for those that want to follow the parameters.
Figure 6: More complete section of the exception log
June 15th, 2018
Our team also discovered some SQL queries on Pastebin uploaded on June 15th. This date sits in the middle of the period set in the May 24th delegation request (June 9 until June 17) and also contains information related to SingHealth.
Figure 7: A portion of the Pastebin SQL queries uploaded on June 15th
The queries reference not just SingHealth but also NHG – The Singaporean National Healthcare Group. You can also see in the query above that they are looking to eliminate returning records associated with "Dental Surgery" (WHERE `Sub-Specialty` <> "Dental Surgery") while including specifically records that allow "Direct Access" and "Direct Admit" (`Ref. Type`IN ("Direct Access P", "Direct Admit P")). This would make sense for someone looking for more sensitive information than you might get from dental patients, while focusing on patients that are given direct access or admittance, which might be reserved for high profile patients that are permitted to "skip the line".
In addition, the class types referenced in the portion of the query that reads "Class IN ("A", "AP", "ARF", "B1", "B1P", "B1RF", "B2RF", "CRF", "NR", "PTE", "PTEP", "PTRF")" references valid medical class types (see Fig 5). Two queries listed in the Paste separate the records between "Private" client classes and "Subsidized" perhaps to further focus on potentially high profile cases.
Figure 8: Table of medical class types taken from: https://www.ncbi.nlm.nih.gov/pmc/articles/PMC5427184/
Finally, this query was recently removed from Pastebin, which would match with someone trying to cover their tracks.
Figure 9: This Pastebin post is no longer available
Now it's fair to say that these sorts of things are commonly posted to Pastebin as developers often share error logs and queries with each other for troubleshooting purposes, so we can't know for sure who uploaded this content to Pastebin or why. However there are three likely scenarios.
The first is that the attackers themselves uploaded the queries in order to share the code with collaborators for troubleshooting purposes.
The second scenario is that an internal developer uploaded the data as they discovered the breach in their exception logs and proceeded to share the information for troubleshooting.
The third scenario is that it has nothing at all to do with the compromise and was simply exception logs uploaded by an internal developer for their own troubleshooting purposes. If this were the case, it is still interesting due to the close timing to the actual breach. If attackers were looking for a way into SingHealth or NHG, stumbling upon this random Pastebin post would be a goldmine of information.
So while we cannot know for certain if these findings are directly related to the SingHealth compromise, the combination of suspicious items occurring directly within the attack window are highly suspicious. Within less than two months prior to and during the official attack window, we have identified the following:
- Java exception logs indicating that an unknown suspect was attempting to delegate access (provide elevated privileges to a new user) to a SingHealth database.
- SQL queries targeting medical data on SingHealth were identified (although already deleted) on Pastebin.
Credit: Thanks to Nikita Kazymirskyi, Anat Davidi, Ziv Mador, Karl Sigler, Brian Hussey, and Jeremy Batterman for their contributions to this research and post.
Tags: Incident Response, Security Research
