Pierluigi Paganini
November 10, 2023
The Industrial and Commercial Bank of China (ICBC) announced it has contained a ransomware attack that disrupted the U.S. Treasury market and impacted some fixed income and equities transactions
“The Securities Industry and Financial Markets Association first told members on Wednesday that ICBC Financial Services had been hit by ransomware software, which paralyses computer systems unless a payment is made, several people familiar with the discussions said.” reported the Financial Times. “The attack prevented ICBC FS from settling Treasury trades on behalf of other market participants, according to traders and banks, with some equity trades also affected.”
Hedge funds, asset managers, and other market participants rerouted trades due to the impact of the attack on Treasury market liquidity. Trading sources confirmed that the overall market continues to operate despite the security incident.
At this time is still unknown the ransomware group that hit the bank and it’s unclear if threat actors stole any data from the organization.
The Industrial and Commercial Bank of China (ICBC) is one of the largest and most prominent banks in the world. It is a Chinese multinational banking company and is often considered the largest bank in the world by total assets, market capitalization, and customer deposits.
According to a statement posted on the ICBC FS website on Thursday evening, the organization reported it had “experienced a ransomware attack that resulted in disruption to certain [financial services] systems.”
In response to the attack, ICBC disconnected and isolated affected systems, and immediately launched an investigation with the help of external cyber security experts.
Security expert Kevin Beaumont told BleepingComputer, that the ICBC infrastructure was hosting a Citrix server vulnerable to the ‘Citrix Bleed‘ attack. The server went offline after the attack.
In October, Citrix urged administrators to secure all NetScaler ADC and Gateway appliances against the CVE-2023-4966 vulnerability, which is actively exploited in attacks.
On October 10, Citrix published a security bulletin related to a critical vulnerability, tracked as CVE-2023-4966, in Citrix NetScaler ADC/Gateway devices.
Researchers from Mandiant observed the exploitation of this vulnerability as a zero-day since late August.
Threat actors exploited this vulnerability to hijack existing authenticated sessions and bypass multifactor authentication or other strong authentication requirements. The researchers warn that these sessions may persist after the update to mitigate CVE-2023-4966 has been deployed.
Mandiant also observed threat actors hijacking sessions where session data was stolen prior to the patch deployment and subsequently used by the threat actor.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Industrial and Commercial Bank of China (ICBC))
