Overview/Case Summary
On August 10, 2023, [Your Name] started the digital forensics investigation into the Genworth Financial Cyber-Attack. Global insurance behemoth Genworth Financial has disclosed an alarming cybersecurity incident that jeopardized protecting crucial client data and financial assets. The primary goals of this investigation are to determine the scope of data breaches, pinpoint the attack’s origin, and gather trustworthy evidence for any legal action later on.
The problem started when internal security systems at Genworth Financial discovered suspicious activity within their network infrastructure. Initial investigation revealed signs of unauthorized access to crucial databases storing client information, financial transaction data, and top-secret investment strategies. A thorough forensic investigation was needed to determine the breach’s causes, procedures, and effects, given the potential breadth of its impact (Gangcuangco, 2023).
Forensic Acquisition & Examination
Appropriate data-collecting tools were used in forensic acquisition and examination. I used a vulnerability scanning tool called Nessus to find and evaluate software common vulnerabilities and exposures (CVEs), including CVE-2023-34362, CVE-2023-35036, and CVE-2023-35708. EnCase Forensic was used to create bit-by-bit pictures of the storage media connected to the affected systems using the EnCase program and ensuring that all data, even deleted and hidden files, was recorded in an unaltered and secure manner (Alazab et al., 2023). I used OSForensics and the command-line utility ‘dd’ to search for particular files and directories related to the exploited vulnerabilities. Specific copies of crucial data were made using these tools, preserving any potential evidence of the vulnerabilities (Muhammad & Fatima, 2022).
I computed hash values (like MD5 or SHA-256) for each acquired image or copy. The hash values were compared against well-known hash values to confirm the accuracy of the acquired data and ensure that it was unaltered during the acquisition process (Ali & Farhan, 2020). The chain of custody and the admissibility of the evidence were maintained by careful documentation that included the date, time, parties involved, and the precise activities conducted. I verified the accuracy of the collected data by comparing particular file properties, metadata, and timestamps. I then recorded and confirmed every action, from locating potential sources of evidence to producing forensic photographs.
I analyzed the gathered forensic photos thoroughly to determine the attacker’s tactics, strategies, and procedures. Digital forensics tools like Wireshark for network traffic inspection and Volatility for memory analysis were used to find indications of compromise (IoCs) and patterns of unauthorized access (Javed et al., 2022). Log files, system artifacts, and network traffic logs were analyzed. Using Autopsy to spot unusual connections, potentially malicious files, and aberrant activity. Burp Suite was used to examine web application code and database structures, verifying the presence of the SQL injection attack associated with CVE-2023-34362. The malware was analyzed using Cuckoo Sandbox to comprehend its functionality, behavior, and code (Melvin & Kathrine, 2021).
Tactics, techniques, and procedures (TTP) were analyzed using the MITRE ATT&CK Framework and assigned to particular threat actors. Behavioral and signature analysis techniques were used to locate known malware signatures and spot changes from regular system activity. Sleuth’s kit aided in the reconstruction of events based on gathered evidence and artifacts, assisting in establishing the sequence of activities conducted by attackers. Forensic data recovery tools were used to recover affected data to understand the magnitude of the breach. Using data recovery tools and procedures, the digital forensics team painstakingly recreated files and artifacts that might have been tampered with, altered, or exfiltrated during the intrusion (Villalón-Huerta et al., 2022).
Findings and Report
Key findings include:
An exploration of vulnerabilities investigation established three vulnerabilities in the software: CVE-2023-34362, CVE-2023-35036, and CVE-2023-35708. Only CVE-2023-34362 is known to have been used by the CL0p ransomware gang to gain unauthorized access to sensitive information. If the CVE-2023-34362 vulnerability was exploited, a structured query language (SQL) injection enabled attackers to insert malicious code, which granted them access to databases hosted by the MOVEit application was employed. Malware Analysis revealed that sophisticated malicious code linked to the CL0p group was discovered through malware analysis (Labs, 2023). The malware’s primary goals were to avoid detection and exfiltrate private financial information. Sensitive financial information such as customer information, transaction logs, and confidential financial reports was exposed to malware. Ransomware analysis showed that the cyber-criminals stole data from the affected businesses and tried to extort them by requesting money to keep the hackers from publicizing the data (Labs, 2023).
The examination of network traffic revealed odd communication patterns with external command and control servers, pointing to a planned attack and the potential for data exfiltration. Memory analysis revealed injected programs and dubious memory areas, indicating malware activity intended to hide from detection during runtime. It was discovered through reconstructing the attack history that the attackers initially got access to the system by using malware, which then allowed them to exploit the vulnerabilities that had been discovered (CVE-2023-34362). Threat actor-owned IP addresses were identified in the c_ip column of IIS log entries with cs_uri_stem=/download, a cs_Referer reference from the human.aspx, and an IP address rather than a domain name (Palka, 2023).
The identified indicators of Compromise (IOCs) include IP addresses and domain names connected to the attackers’ use of the command-and-control infrastructure, malicious file signatures and hashes discovered in infected systems, and patterns of unusual network activity, such as connections made outside to dubious locations (Akram, & Ogi, 2020).
Recommendations for mitigation are that Genworth Financial immediately implement security patches for the discovered vulnerabilities (CVE-2023-34362, CVE-2023-35036, CVE-2023-35708) to prevent future attacks. Genworth Financial should implement network segmentation to prevent attackers from moving laterally within the network, reducing the potential effect of subsequent breaches. Moreover, they should identify and react to harmful actions and strengthen endpoint security measures, including sophisticated threat detection and real-time monitoring. To ensure a prompt and well-organized reaction in the event of future security problems, they should develop and improve their incident response strategy. They should conduct routine cybersecurity audits and assessments to find potential gaps and assure adherence to industry best practices. Genworth Financial should evaluate and oversee the security of any partners and third-party vendors with access to their systems or data to ensure they follow the same cybersecurity standards.
Conclusion
The thorough investigation and analysis of the Genworth Financial incident highlight the crucial role that cybersecurity measures play in protecting sensitive financial data. To prevent unwanted access and data compromise, enterprises must be constantly alert, quickly address vulnerabilities, and improve their cybersecurity processes. The security status of Genworth Financial will be enhanced by the recommendations of this investigation, enabling it to guard against similar threats in the future.
Disclaimer: Genworth Financial and other approved stakeholders may only use this information internally. It presents conclusions and suggestions based on our team’s forensic investigation. Adhering to legal and regulatory regulations is crucial when responding to the findings and carrying out the suggested steps.
References
Alazab, A., Khraisat, A., & Singh, S. (2023). A Review on the Internet of Things (IoT) Forensics: Challenges, Techniques, and Evaluation of Digital Forensic Tools.
Akram, B., & Ogi, D. (2020, November). The making of indicator of compromise using malware reverse engineering techniques. In 2020 International Conference on ICT for Smart Society (ICISS) (pp. 1-6). IEEE.
Ali, A. M., & Farhan, A. K. (2020). A novel improvement with an effective expansion to enhance the MD5 hash function for verification of a secure E-document. IEEE Access, 8, 80290-80304.
Gangcuangco, T. (2023, June 26). Genworth outlines a massive hit from Global Moveit Hack. Insurance Business America. https://www.insurancebusinessmag.com/us/news/cyber/genworth-outlines-massive-hit-from-global-moveit-hack-450435.aspx
Javed, A. R., Ahmed, W., Alazab, M., Jalil, Z., Kifayat, K., & Gadekallu, T. R. (2022). A comprehensive survey on computer forensics: State-of-the-art tools, techniques, challenges, and future directions. IEEE Access, 10, 11065-11089.
Labs, M. (2023, June 27). CLOP ransomware exploits Moveit software. McAfee Blog. https://www.mcafee.com/blogs/other-blogs/mcafee-labs/clop-ransomware-exploits-moveit-software/
Melvin, A. A. R., & Kathrine, G. J. W. (2021). A quest for best: A detailed comparison between drakvuf-VMI-based and cuckoo sandbox-based technique for dynamic malware analysis. In Intelligence in Big Data Technologies—Beyond the Hype: Proceedings of ICBDCC 2019 (pp. 275-290). Springer Singapore.
Muhammad, N. A., & Fatima, R. (2022). Role of image processing in digital forensics and cybercrime detection. International Journal of Computational and Innovative Sciences, 1(1), 39–42.
Palka, T. L.-S. (2023, June 5). Data exfiltration for moveit transfer exploit: CrowdStrike. crowdstrike.com. https://www.crowdstrike.com/blog/identifying-data-exfiltration-in-moveit-transfer-investigations/
Paul Joseph, D., & Norman, J. (2019). An analysis of digital forensics in cyber security. In First International Conference on Artificial Intelligence and Cognitive Computing: AICC 2018 (pp. 701–708). Springer Singapore.
Villalón-Huerta, A., Marco-Gisbert, H., & Ripoll-Ripoll, I. (2022). A Taxonomy for Threat Actors’ Persistence Techniques. Computers & Security, 121, 102855.