Chinese multinational bank hit by ransomware

The state-owned Industrial and Commercial Bank of China (ICBC), which is one of the largest banks in the world, has been hit by a ransomware attack that led to disrupted trades in the US Treasury market.

The attack

“On November 8, 2023, U.S. Eastern Time (November 9, 2023, Beijing Time), ICBC Financial Services (FS) experienced a ransomware attack that resulted in disruption to certain FS systems. Immediately upon discovering the incident, ICBC FS disconnected and isolated impacted systems to contain the incident,” the bank said in their security incident notice.

Several news outlets, including the Financial Times and Bloomberg, have reported that the LockBit ransomware gang is behind the attack.

ICBC is investigating and has engaged in recovery efforts.

“We successfully cleared US Treasury trades executed Wednesday (11/08) and Repo financing trades done on Thursday (11/09),” ICBC added .

“ICBC FS’s business and email systems operate independently of the Industrial and Commercial Bank of China Group. The systems of the ICBC Head Office and other domestic and overseas affiliated institutions were not affected by this incident, nor was the ICBC New York Branch.”

A possible way in for attackers

Cybersecurity researcher Kevin Beaumont has pointed out that a Citrix Netscaler box owned by ICBC was still unpatched for the Citrix Bleed (CVE-2023-4966) vulnerability on Monday, and that it’s now offline.

Beaumont also says that 5000+ organizations still haven’t patched the flaw.

“It allows complete, easy bypass of all forms of authentication and is being exploited by ransomware groups. It is as simple as pointing and clicking your way inside orgs – it gives attackers a fully interactive Remote Desktop PC the other end,” he explained.

Citrix Bleed has been exploited by attackers in the wild since late August 2023, and has since been leveraged by ransomware gangs. Citrix made a patch available in early October.