Impact of Singhealth cyber attack

Singhealth Data Breach 2018 

"Singhealth data breach" which is the most serious personal data breach happened in Singapore, happened in June-July months in 2018. This affected the personal data of 1.5 million people including the personal data of prime minister of Singapore.

This article explains how attack unfolded (also with a nice diagram which explain the attacker movements and data exfiltration):
https://www.channelnewsasia.com/news/singapore/customised-uniquely-tailored-malware-singhealth-cyberattack-10794852

Impact

 Following 3 articles explain what is the impact and penalties of this data breach, after the conclusion of the
 Committee of Inquiry which was tasked with investigating the breach.

https://sg.news.yahoo.com/singhealth-cyberattack-ihis-fires-2-managers-financial-penalties-7-including-ceo-2-123715177.html

https://www.straitstimes.com/singapore/singapores-privacy-watchdog-fines-ihis-750000-singhealth-250000-for-data-breach

https://www.gov.sg/news/content/channel-newsasia---singhealth-coi-report 

“Two senior managers at the Integrated Health Information Systems (IHiS) have been sacked for being “negligent” and “in non-compliance of orders” during the 2018 SingHealth cyberattack, which contributed to the unprecedented scale of the incident.

Five members of the IHiS senior management, including CEO Bruce Liang, have also been given a “significant financial penalty” for their collective leadership responsibility. A “moderate financial penalty” will be imposed on two middle management supervisors, said the central IT agency for the healthcare sector on Monday (14 January).

In addition, a Cluster Information Security Officer – who was not named but is believed to be Wee Jia Huo – who “failed to comply with IHiS’ incident reporting processes” has been demoted and re-deployed to another role.

An IHiS spokesperson noted that the Security Incident Response Manager – believed to be Ernest Tan – had “persistently held a mistaken understanding of what constituted a ‘security incident’, and when a security incident should be reported”.

“His passiveness even after repeated alerts by his staff resulted in missed opportunities which could have mitigated or averted the effect of the cyber-attack,” added the spokesperson. Consequently, both Tan and a Team Lead in the Citrix Team were told to go.

The Team Lead is believed to be Lum Yuan Woh.

“Whilst there was no intent to cause or facilitate the cyberattack, both of them had failed to discharge the responsibilities entrusted on them.”

The terminations are with immediate effect.“

“Singapore's privacy watchdog has meted out its largest fine of $750,000 to Integrated Health Information Systems (IHiS) for lapses in securing patient data which resulted in the nation's worst data breach. Even though IHiS is the technology vendor for Singapore's healthcare sector, SingHealth also has to take responsibility as the owner of the patient database system - a point that the Personal Data Protection Commission (PDPC) stressed in dishing out penalties. SingHealth was fined $250,000, the second largest here.

 Note:

You can find the public report from COI available in following link:
https://www.mci.gov.sg/~/media/mcicorp/doc/report%20of%20the%20coi%20into%20the%20cyber%20attack%20on%20singhealth%2010%20jan%202019.pdf

Breaking Out HSTS (and HPKP) on Firefox, IE/Edge and (possibly) Chrome

Following article describes how to abuse browser implementations of HSTS and HPKP storage to disable HSTS and HPKP checking. Due to these attacks, Trust On First Use (TOFU) security model of HSTS and HPKP cannot be properly enforced by the browser.

http://blog.en.elevenpaths.com/2017/12/breaking-out-hsts-and-hpkp-on-firefox.html

Quote from above article about Firefox implementation.

Firefox uses a TXT file with a limit of 1024 entries to remember HSTS and HPKP domains. It seems that they though it was unlikely that an user would store more than that but, anyhow, they implemented a concept of "score" for each domain too.
The score indicates how often the user visits that domain on different days. Score 0 means that the header is expired or it is the first day he has visited the site. Score goes to 1 next day if he visits it again. It would go to 2 next different day (not necessarily to be the day after) he visits that site. In a nutshell, the more often (in different days) the user visit the site the higher the score. In case of having to remove one of this 1024 entries to make space (free up a slot), the one with the lower score is removed.

What we did is a Bettercap JavaScript to inject and a special website. Both send a lot of HSTS headers (what we call "junk entries") with different subdomains. Firefox, in less 2 minutes, fills up this 1024 table and starts removing legitimate domains with score 0.
What happens if a legitimate domain has a higher score and is less likely to be removed? To get that, we need to make this attack again in a different day, so our junk entries get a score of 1, and the legitimate ones with 0 score or 1 score, will probably go away. And so on.

Writeup on Intigriti CTF - A Failed Attempt

On 9th of January, 2019, Intigriti announced following CTF challenge
( https://twitter.com/intigriti/status/1082979668972748803 ). As I recently started trying out CTFs,
I thought to give it a try, although my CSSLP exam was almost close.

So where to start? As there was no other hints at that time, and there is an emoji pointing to the
attached image, I thought the clues or flag itself was inside the image, so I downloaded it to my
Kali VM.

Then it was time to analyze the downloaded image file.
 
Using “strings” command on the image file showed some interesting texts like “lmao” and
“nottheflag.pdf”. So I thought maybe there was a pdf file embedded inside the image file (As I
remembered reading similar steganography techniques in twitter or somewhere before)

On the first attempt, I just renamed the file to .zip extension and used “unzip” command which
gave me the pdf file.
But then I found a better way to do that using “binwalk” command later thanks to further google
searches. This “binwalk” command shows what are the embedded files inside a file.


If you use “-e” option of “binwalk”, it even extracts those files to the current directory. But I was
still new to this tool, so I only found about it later. I just used “unzip” command on the jpg, and
voilà, now there was a file named “nottheflag.pdf” in my current directory.


Opening the PDF file showed a base64 encoded string and a URL to a tweet.


Decoding the base64 string:



 

Accessing the decoded URL (https://go.intigriti.com/07b0fL24lkmva) pointed to a zip file.

Ok, it is an encrypted file. Where is the password? Let's see what hints are posted by intigriti.

There is an emoji pointing up. I checked the original tweet again, and examined the cover image
of the current image, even found another twitter account named “WhereIsTheFlag”.
https://twitter.com/WhereIsTheFlag


Still I did not have a clue where was the password.

Again new hints were posted by intigriti pointing up.
Where is it?
Feeling same as @SYNTAXERRORBA

The ceiling? 😓

The sky? 😕

Ok, after sometime, I remembered I had to study for CSSLP exam. So gave up.
…….
But again later, Another hint.

I already looked cover image of intigriti twitter account. (But I forgot to check the cover image of
other twitter account “WhereIsTheFlag”, that was where they hid the password according to
another writeup). So no password for me.

Another hint is about a matrix. The MATRIX?

😕, maybe they are talking about a color table in JPG file?
Spent more time wasting about reading about JPG and using commands like xxd to analyze jpg
file. Then I remembered again I had to study for CSSLP and went back to studying.
The last hint.

I am not skilled enough on CTFs yet, but I can try.
Using unzip commands to see available data on the zip file:




unzip -l command shows encrypted zip file contain 441 jpg image files with two different sizes
(314 and 317/318 bytes)
as the last hint says we do not need to decrypt the zip file, I thought image filenames and file
sizes should be sufficient to get the flag.

As one of the hint is about a matrix, it is possible the information from files should be arranged in
a matrix and because 441 is 21x21, this assumption seemed correct. Best known data
representation (at least for me) using a matrix is QR code. According to wikipedia article about
QR code, the version 1 of QR code is 21x21 which gives further credence to possible retrieval
of QR code using found data. If this assumption is correct, two image sizes may be used to
represent for black and white colors.
Therefore the next step was to convert the file sizes to 0/1 or black/white and then to arrange
those in 21x21 matrix ordered by file name.
First I generated a black png and a white png with size 10x10 pixels for generating the main
image, using imagemagick convert command.

Then I generated an imagemagick convert command which arranges above created black and
white images in rows and columns, while black representing image files greater than 314 bytes,
and white representing image files equals to 314 bytes in size.



Then I copied the generated imagemagick command from qr2.txt and executed it in command
line (somehow using `cat qr2.txt` did not work, so had to copy paste using xclip command).

Now it is time to see the generated image. ⏳

So I got a silhouette of a nice building. 😯 I don’t think that is the flag.

Then after sometime, as the last attempt, I thought maybe if I compared the encrypted file
content (retrieved through zipdetails command), I could find which files were similar (black or
white). But It did not work as I did not find any encrypted file with same data as any other file.
Then I gave up for the last time as I still had another high priority, CSSLP exam. So no flag for
me this time, but at least I passed (provisionally) CSSLP exam 😊.

You can find a writeup on a successful attempt to capture this flag by @DJBusyR
here https://busyr.com/writeups/intigriti_-_find_the_flag_earn_swag.pdf