Jack Conde 077102008 06:06 AM To Kenneth G. Lay, Guy-Pierre De Poerck, Andrea V. ‘Townsend, James Nelms, David K. Newsom, Hinda Kada, Alleen Morse, Beatriz S. Pinto, Elsa Liberator:-Prati, Giles P. Hopkins, Kristin Lado Tufan, Leroy E. Grassley, Omar. Baig, Pericia Coray, Patricia M. Seabolt, Rakesh Asthana, ‘Scott F. Ligon, Sekkappa Nagappan, Sima Sassanpour, ‘Stephen ©. Sebastian, Sudhakar G, Kaveeshwer, Enrico G. Capraro, Eddie Hodapp, Christian Daniel Camacho, ‘Shrimant Tripathy, Remy 8. Faures, Charles Conn, June ‘Seop Kim, Brian S. lori, Jonathan Walkup, Pascal Platteborse, Kaleem A. Mohammed, Paul A, Baartz, Eduardo Martin Widmar, Kandi Reddy, Igor Petrovski, Charles C. Edwards, Sardar Azari, Amir Munir, Anand Kumar ‘Srivastava, Herini Srinivasen, Bill Piatt Subject Server secury breach update BACKGROUND ‘As you all know, the WBG suffered a security incident a couple of days ago. The seriousness of the penetration was not understood until approximately 10:00 PM on 7/8/08. OIS and ISG determined that the WBG had a large number of compromised servers. The following list names the compromised machines and lists their primary function: Server Funetion pdms02 PSD Web server psdms03 PSD Web server w2ksap01 SAP (none of these is primary SAP server) wib2ksap05 sap wib2ksap08 sap w2ksapT1 SAP wib2ksapt2 SAP w2ksapl4 sap wb2ks9I08 Contains ISGTE data wibge04 Domain Controtier west26 HR Image Server wbmscti10 Citrix server wbmsctxmig Citrix server wbmsem37 Ceoniicate server wbmsflectOtb File server wbmsmon01 ISGTE Monitoring server wbmsrsa001 Secure ID Server The list of servers clearly represents the severity and scope of the incident. A minimum of 18 servers have been compromised. OIS still does not know the full impact of the security breach or the amount of data that may have been compromised. We do know that three (3) main servers have been breached; a domain controller, the WB SA server that provides SecurlD validation and an HR server that contains scanned images of staff documents. OIS does not believe that any Treasury related systems have been compromised. The incident was detected when a Lotus Notes server sent an alert on July 8” at 3:30 AM. Ever since the IFC security incident, ISG has configured the email servers to send out a notification if an inappropriate attempt to ‘open a mail folder is detected. Upon further review, it was determined that the breach was associated with the se ofa Senior Systems Administrator's account. The person was on leave at the time of the incident. After contacting the individual, it was determine that the suspicious incident was indeed the result of a compromised, privileged, account. By 4:00 PM, ISG had assembled a team of Lotus Notes and Server experts to develop an understanding of the scope of the security breach. At approximately 6:00 PM OIS got involved and the initial assessment of the damage was completed by 11:30 PM, UPDATE [As of 9/9/08 we have determined that 5 of the compromised servers contain sensitive data and care must be taken to determine the amount of information that may have been transmitted outside of the World Bank Group. 1SG believes that the the PSD web servers were the intrusion vector. Servers Containing Sensiti W2ksqi08 Womsfileciotb Whesi26 Whdct04 Whmsrsa001 ‘A major effort is underway to implement a firewall rule that will bar all outbound traffic from server networks to the internet with exceptions made for servers witha legitimate reason to make such connections. To this end, ISG staff is creating a daily report of traffic which will be vetted by ISG service managers and OIS to insure that all ‘exceptions are explained and justified. The rule wil be implemented on Friday. This effort will curtail any data lost from production servers in the future. {SG staff will redirect all suspicious IP addresses at the edge level where their requests can be logged. The decision was made to redirect instead of blocking the traffic in an effort not to make the intruder suspicious and thwart our efforts to identify him. Additionally, blocking the hackers IP address could lead him to continue is efforts with another address that would be much harder to detect. IS is currently performing forensic analysis on § servers and one workstation, The status of each devise appears bellow: PN1029632(Paseal PC) Currently doing forensics on image PSDSM02 Currently doing forensics on image WBMSRSAOOI (RSA Image is being acquired Server) WBMSEM37 (CA Image is being acquired Server) WBESI26 (HR Server) _ Ist Drive - Currently doing forensics on image / 2nd Drive - Image is being acquired WBDCI04 (Domain Server is at BCC will arrange a time to grab image / Microsoft forensics is being worked on Controller) by Charles team (1S will submit a detailed report on the results ofthe analysis; however, itis important to note that not being able to identify any malicious code on the server does not, per se, indicate that the machine is “clean”. Therefore, OIS recommends that all servers in question be wiped clean, have the software reinstalled and that all required data be copied back from a backup tape dating to before the security breach, During a meeting held on 9/9/08 it was brought to OIS' attention that scans had shown approximately 30 workstations transmitting data to a TCP port. The intial suspicion was that these machines were also infected and part of the same incident. Subsequent analysis revealed that the transmissions were benign and related to the ‘Skype installation on each one of the machines. (OS has diligently contacted all interested parties and shared any speeific data that may concern them as well as ‘advising them on future preventative measures. These meetings are detailed bellow: ADVISORY MEETINGS 17/9/08 10a - IFC Paul Bounler was briefed and provided with technical information on scanning and remedial actions for the IFC 17/9/08 11a - TRE Ken Lay was briefed on the incident and provided with TRE specifies and remedial ations 17/9/08 12p - TRE - Patrick Thng was briefed on the incident and provided with TRE specifics and remedial actions, The TRE IT support team was advised and included in the IRT activities. Two-factor authentication on all Admin ‘accounts is being completed. Passwords have been changed on all administrator and service aecounts 7/9108 12p - EG - Enrico Capraro, E. Hodapp, Chris Rrie, Penkaj M. were briefed on the incident and provided with EG specifies and remedial actions, The ET support team was advised and included in the IRT activities, All ‘administrator accounts are being migrated to two-factor authentication under the TRE RSA server. Passwords have been changed on all administrator and service accounts 7/9/08 7p - IFC - Bill Pat, CIO, was briefed and provided with WBG exposure, Added to IRT list 7/9/08 8:30p - GSD - Pete Gallant was briefed and provided with technical information on scanning and remedial actions for the WB. Scheduled a meeting for Monday, 7/14/08 to discuss any engagement with FBI and law enforcement cybercrime groups