Singapore health system hit by ‘most serious breach of personal data’ in cyberattack

[LeanMature]

1 hour ago, Guest Guest said:

A foreign country launched an attack.....and you want ppl 2 resign...wow your anti govt knowa no limit...

 

When COI is going to convene, heads will roll.  For once, chopped off the big head, not every time targeting the small flies.

[Guest Conspiracy Theorist]

Why everyone assume is foreign?

[Ben Ben Ben]

8 minutes ago, Guest Conspiracy Theorist said:

Why everyone assume is foreign?

Could be local hackers too 

[Rhyn]

Because of how sophisticated it is and how entrenched Singapore is globally 

4 minutes ago, Ben Ben Ben said:

Could be local hackers too 

 

13 minutes ago, Guest Conspiracy Theorist said:

Why everyone assume is foreign?

 

 

[Rhyn]

45 minutes ago, Rhyn said:

Hey all! I'd like to add to this conversation (speculatively) about the situation and how serious it is, while also dishing out some advise on what you can do if you are one of the unlucky people affected by the situation. I also firmly believe that no one should be fired for this situation as it is akin to firing the whole security company because an Ocean-Eleven style of attack occured on a multi-million bank heist. 

 

I'm rather invested into the tech industry and from my preliminary analysis on the situation, there are some indisputable notions that we can draw based on the information presented by the authorities relevant to the case.

 

The one pertinent point about this attack is that it is specifically targetted at the Prime Minister to gather information about him. The attack was meticulously designed and crafted to extract personal data in an attempt to compromise the PM. With this in mind, the attackers are already aware that the security levels within Singapore are pretty air-tight.

 

Need evidence? If you've served in National Service, you should have come across two different sets of networked-computer systems in the army. They are air-gapped (which means completely separated from each other), Internet and Intranet connected systems that cannot communicate with each other. You need a USB drive to transfer data as even simple emails cannot be sent between these two systems. Also, even plugging in a simple USB drive needs authorisation from somebody with sufficient rank. This is indirect evidence that Singapore takes the security of data very seriously. If I recall correctly, a foreign entity tried to access the army's databases. I won't be surprised if the attackers are somewhat connected to this incident as well. 

 

If you need more convincing, we only need to look at the basic infrastructure of SingPass. Few years ago, it mandated that everyone, including elderly people who are technically-challenged and have precious information that they need to access when they have health related issues or otherwise, have to adopt the 2FA login process; something I find tedious myself at times. 

 

So I've just covered on the emphasis Singapore has placed on data, and we can now safely assume that government data in army or public domains should have ample and adequate safety in place. Which brings me to my next point: who would target the PM?

 

This should be a state-sponsored hacking, which means to say two things: one, it is politically-motivated. Two, there is pre-planning involved to coordinate this attack successfully. Money, possibly huge sums of it is required to sustain such an attack.

 

To increase the odds of success, the attackers had to understand how SingPass works, both physically and virtually. There was reports that the front-end of the system was compromised, which might mean that virtually, the attackers might have either successfully probed holes, or created holes in the login system. It is very likely at this juncture that an attacker has or had has physical access to the databases that houses all this information as well, whether as an insider or an outsider penetrating the security in place (Look up social hacking, it is an aspect often overlooked when people talk about hacking). 

 

If they have successfully gained some level of access into the systems, the internal security structure, if robust enough for detection, would pick up such an attack. Which it did! The IT technicians monitoring noticed suspicious and unusual activity and immediately shut down access to prevent additional data from being leaked. Furthermore, there was indication that the attackers were so careful they even covered their digital footprints to try and make it look like no one had illegally accessed SingPass's data. 

 

So with all this information at hand, we can safely deduce some of the likely country, or countries involved in this data heist. I'd speculate any further but I have insufficient information at hand.

In no particular order as any of these countries are capable, have money and their own political reasons...

 

1. America

2. Iranian regions

3. Russia

4. China

5. North Korea

 

These countries have had an extensive history of cyber warfare of constantly hacking each other in an attempt to one-up the other through valuable, government-sensitive information. Singapore also has ties to these countries, but I'm not aware of these countries that have bad blood with Singapore, maybe besides North Korea as their...uh...beloved president did visit Singapore a few months ago. 

 

What if your information is accessed?

 

Well, unless you're the PM, you should have nothing to worry about except expecting scams like fake distress calls asking for your money because they kidnapped your son and demand a ransom to be placed under the void deck chairs. Check that your data is not accessed here: https://datacheck.singhealth.com.sg. If it is, be on the alert that you might receive suspicious messages or emails from people who are taking advantage of this situation. Best thing to do is not reply any of these scams. 

 

[LeanMature]

5 hours ago, shyc said:

If you are concern, you can check from:

https://datacheck.singhealth.com.sg/

 

or log on to Health Buddy App. 

 

Their messages are quite generic so nothing much. You may also read this https://www.channelnewsasia.com/news/singapore/how-to-know-if-the-sms-you-received-was-from-singhealth-10552792

just be on alert if you suddenly get calls for financial details or credit card number etc. 

 

When personal information such as name, NRIC, home address and date of birth is compromise, it is very easy for crooks to impersonate you.  For e.g., someone may impersonate you by calling your Telco hotlines to access your mobile plan, make changes or apply an additional line or simply change your billing address.   

[Ben Ben Ben]

1 hour ago, LeanMature said:

 

When personal information such as name, NRIC, home address and date of birth is compromise, it is very easy for crooks to impersonate you.  For e.g., someone may impersonate you by calling your Telco hotlines to access your mobile plan, make changes or apply an additional line or simply change your billing address.   

The 1.5 million dollars question is who are the hackers? 

[Guest Calvin Cheng]

11 hours ago, Ben Ben Ben said:

The 1.5 million dollars question is who are the hackers? 

 

 

Quote

Calvin Cheng

Yesterday at 05:16 · 

To the critics of Singapore’s cyber security. Did you know that UN ranks Singapore number 1 in the world in cyber security? ( https://www.reuters.com/…/u-n-survey-finds-cybersecurity-ga… )

We are already taking it very seriously, and investing a lot of resources into it. You think you can do better ? What’s better than number 1?

Which is why experts say only a nation-state has the ability to do hack our national systems. And only a handful - Russia, China, Israel, US - can do it.

So it is like our SAF. We are one of the best regionally if not the world. But if China or Russia decides to attack us, how do you think we will fare ?

Do you then think that is a reason to criticise the Government for not doing enough in military defence ?

UYB please.

 

 

 

 

[Guest Guest]

The cheebye mouth Calvin Cheng barks again...

[Vometra]

http://theindependent.sg/ho-ching-likes-former-nmp-calvin-chengs-post-in-support-of-singapores-cyber-security-division/

 

Ho Ching ‘likes’ former NMP Calvin Cheng’s post, in support of Singapore’s cyber-security division

 

Finally all the hard work paid off! Congrats!

[Vometra]

14 hours ago, LeanMature said:

 

When personal information such as name, NRIC, home address and date of birth is compromise, it is very easy for crooks to impersonate you.  For e.g., someone may impersonate you by calling your Telco hotlines to access your mobile plan, make changes or apply an additional line or simply change your billing address.   

 

They can also con the less educated members of your family with your info ... remember the kidnapping scam?

Just be more alert these few months or years ...

[LeanMature]

5 minutes ago, Vometra said:

 

They can also con the less educated members of your family with your info ... remember the kidnapping scam?

Just be more alert these few months or years ...

 

And calling your bank Helplines to request for a paper credit card statement to a different billing address.   Scary.

[Guest update]

Massive SingHealth Data Breach Caused by Lack of Basic Security

The lessons learned from Singapore’s breach serve as a reality check to U.S. health organizations still failing to educate users, apply patches, and other common security methods.

January 10, 2019 - Singapore’s July 2018 personal data breach of 1.5 million SingHealth patients, including Prime Minister Lee Hsien Loong, was caused by bad system management, a lack of employee training, and other major flaws, according to the 454-page report released today by the investigation committee.

The committee was formed shortly after the 2018 breach, which included the personal information of patients, along with the medical data of about 160,000 patients. They held 22 hearings shortly after, which revealed the breach went on about a year between August 2017 and July 2018.

Among the host of SingHealth failures, the committee found Integrated Health Information System (IHIS), the IT agency responsible for the public health system’s IT and security, lacked adequate cybersecurity awareness, resources, and training to properly respond to the cyberattack.

This was highlighted by their inaction when the properly identified suspicious activity around login attempts on its database, but failed to categorize the attempts as a cyberattack. Further, SingHealth lacked an incident reporting framework, and staff were unfamiliar with security policies, which meant they were unaware that the issue needed to be reported to Singapore’s Cyber Security Agency.

But employee training was not the only issue, the report found weaknesses, flaws, and misconfiguration issues throughout the network that allowed the hackers to successfully breach the system and exfiltrate data.

In fact, the cyberattackers gained access through a significant coding vulnerability in the connection between the Citrix servers at a public general hospital and its Service Control Manager (SCM) database. While the connectivity was used to make database queries and maintained for administrative tool and custom application support.

The committee found it to be unnecessary. Not only that but, according to the report, “the SGH Citrix servers were not adequately secured against unauthorized access.”

“Notably, the process requiring two-factor authentication for administrator access was not enforced as the exclusive means of logging in as an administrator,” the report authors wrote. “This allowed the attacker to access the server through other routes that did not require 2FA.”

What’s worse is that a number of these vulnerabilities were found during a 2017 pen test, such as weak administrator account passwords, and a need for network segmentation, but “the remediation process undertaken by IHIS was mismanaged and inadequate, and a number of vulnerabilities remained at the time of the cyberattack.”

Notable Recommendations

Among the list of recommendations, officials noted the need for partnerships across the private sector and the government to enhance threat intelligence sharing and achieve a higher level of collective security.

Security Structure and Readiness: SingHealth’s IT team and all of its public health facilities need to adopt an enhanced security structure and readiness. Most notably, organizations should employ a defense-in-depth strategy, along with policies and procedures to address security gaps.

Security must be seen as a risk management issue, not just a tech problem, with the managers across the organization working together to “balance the tradeoffs between security, operational requirements, and cost.”

Review Cyber Stack

Officials need to review the cyber stack to determine if it’s adequate to defend and respond to advanced, persistent threats. This can be accomplished by mapping layers of the IT stack against current security tools.

Current gaps can be addressed by acquiring endpoint and network forensics capabilities, along with a review of the effectiveness of current endpoint security measures to secure those flaws.

Security Checks

Vulnerability assessments must be conducted regularly, along with safety reviews, evaluations, and certifications of vendor products. Further, pen testing, read teaming, and threat hunting must be considered.

Staff Education

Like many U.S. health organizations, the report authors noted that “the level of cyber hygiene among users must continue to be improved.”

“IT staff must be equipped with sufficient knowledge to recognize the signs of a security incident in a real-world context,” the report authors wrote.

Access Control Management

Officials recommended the use of two-factor authentication for performing administrator tasks, as well as the use of passphrases instead of passwords “to reduce the risk of account being compromised.”

“An inventory of administrative accounts should be created to facilitate rationalization of such accounts,” the report authors wrote. “Password policies must be implemented and enforced across both domain and local accounts.”

“Server local administrator accounts must be centrally managed across the IT network, they added. “Service accounts with high privileges must be managed and controlled.”

 

[Guest update]

Hacker group behind SingHealth data breach identified, targeted mainly Singapore firms

Hackers that compromised the data of 1.5 million healthcare patients have been identified as a group that launched attacks against several organisations based in Singapore, including multinational firms with operations in the country, and is likely part of a larger operation targeting other countries and regions.

Hackers that compromised the data of 1.5 million SingHealth patients have been identified as a group that launched attacks against several businesses based in Singapore, including multinational companies with operations in the city-state. Dubbed Whitefly, the group had attacked organisations in healthcare, media, telecommunications, and engineering, and is likely to be part of a larger operation targeting other nations, according to a report by Symantec. 

The cybersecurity vendor said it had begun investigating the SingHealth attack since July 2018 and determined, over the course of the investigation, that a previously unknown group was responsible and had also launched other attacks. Operating since at least 2017, the group mainly targeted organisations in Singapore across various sectors and was primarily focused on stealing large volumes of sensitive data. 

 

Asked why the group had its eye on Singapore, Dick O'Brien, a researcher at Symantec's Security Response division told ZDNet that its sponsor likely had other teams targeting other countries and regions and it was possible Whitefly was part of a broader intelligence gathering operation in the region. Links with attacks in other regions with the use of similar attack tools posed the possibility that this was the case.

O'Brien was not able to reveal the number of organisations affected by the group's attacks, adding that the vendor's research was still ongoing. 

He did say, though, that the attack tool used by Whitefly also was tapped to launch attacks against companies in the defence, telecommunications, and energy sectors operating in Southeast Asia and Russia. However, Whitefly's involvement currently could only be confirmed in attacks that occurred in Singapore. 

The Singapore government revealed in January that it was able to identify the hackers responsible for the SingHealth attack, and had taken appropriate action, but would not reveal the identity of these perpetrators for "nation security reasons" and that it was "not in our interest to make a public attribution".

 

Hacker group aims to stick around in stealth mode

The Symantec report, released late-Wednesday, revealed that Whitefly compromised its targets using custom malware and open source hacking tools as well as land tactics, such as malicious PowerShell scripts. 

Specifically, the group attempts to infect its targets using a dropper in the form of a malicious ".exe" or ".dll" file, which is disguised as a document or image, and likely sent through spear-phishing email. If opened, the dropper runs a loader known as Trojan.Vcrodat on the computer. 

O'Brien noted: "Vcrodat uses a technique known as search order hijacking. In short, this technique uses the fact that, if no path is provided, Windows searches for DLLs in specific locations on the computer in a pre-defined order. Attackers can, therefore, give a malicious DLL the same name as a legitimate DLL, but place it ahead of the legitimate version in the search order so that it will be loaded when Windows searches for it."

Asked why Windows was unable to differentiate between malicious and legitimate DLLs, he explained that Windows only performed a search if no path was provided. So the issue was whether software developers had specified the DLL path. "Vendors will usually patch their software if they find paths that aren't specified, but that may not prevent the attacker from using the technique since they can drop an unpatched version and use that to load the malicious DLL," he said. 

Symantec also noted that Whitefly usually aimed to remain undetected, often for months, within a targeted network with the purpose of stealing large volumes of data. It would do so by deploying several tools, such as the open source hacking tool Termite, that facilitated communication between its hackers and the infected computers. 

O'Brien added: "For example, if they're using previously unseen tools, any incursions may not be detected until those tools are identified and flagged. We also observed that Whitefly went to great lengths to steal credentials, such as usernames and passwords from targeted organisations, making it easier for them to maintain a long-term presence on the network."

According to Symantec, the SingHealth breach was unlikely to be a one-off attack and, instead, was part of a series of attacks against organisations in the region. 

"Whitefly is a highly adept group with a large arsenal of tools at its disposal, capable of penetrating targeted organisations and maintaining a long-term presence on their networks," it said. 

ZDNet sent several questions to Cyber Security Agency (CSA), the government agency tasked with overseeing Singapore's cybersecurity operations, including whether Whitefly was the hacker group it had referred to in January and if the government had worked with any organisation to identify the SingHealth hackers. 

 

A CSA spokesperson did not respond directly to these questions, but replied with this statement: "Cybersecurity companies regularly produce such reports based on their own intel and research for their various stakeholders. As this is an independent investigation report by a commercial entity, we have no comment on its contents."

When asked, Symantec confirmed it had shared its findings with CSA.