Ransomware attack on China’s largest bank disrupts US Treasury markets – SiliconANGLE

The Industrial and Commercial Bank of China Limited, China’s largest bank, was hit by a ransomware attack that disrupted US Treasury markets.

The Financial Times first reported that news that the Industrial and Commercial Bank of China (ICBC) had been targeted in a ransomware attack came from the Securities Industry and Financial Markets Association on Wednesday. The attack prevented the Industrial and Commercial Bank of China (ICBC) from settling Treasury bond transactions on behalf of other market participants, with some stock trades also affected.

To overcome the inability of the Industrial and Commercial Bank of China (ICBC) to settle trades, market participants are said to have redirected trades. Although the attack had some impact on Treasury market liquidity, it did not weaken the overall market.

The form of the ransomware has not been disclosed, with an emergency notification Issued to merchants Just referring to it as an “incident.” The notice said that ICBC Bank cannot contact the Depository Trust & Clearing Corporation and the National Securities Clearing Corporation, and as such, all incoming FIX communications have been temporarily suspended. FIX communications allow market participants to send and receive messages from the DTCC, such as trade orders, settlement instructions, and account statements.

The Industrial and Commercial Bank of China (ICBC) began restoring services as of Thursday afternoon. The bank has not yet commented on the attack.

Although the form of ransomware used in the attack is currently unknown, security researcher Kevin Beaumont at Mastodon points to a possible attack path, the Citrix Netscaler box run by ICBC, which, at least as of Monday, had not been patched due to… Citrix Bleed vulnerability. Notably, the particular Netscaler box is currently offline.

Citrix Bleed, tracked as CVE-2023-4966, was discovered in October and highlighted in an alert from the US Cybersecurity and Infrastructure Agency on November 7. The vulnerability is described as exposing sensitive information in the NetScaler ADC and NetScaler Gateway when they are configured as a gateway.

According to Beaumont, the vulnerability “allows complete and easy bypass of all forms of authentication and is being exploited by ransomware groups” and can be exploited as easily as “point and click your way in.” [organizations] – It gives attackers a fully interactive remote desktop computer on the other end.

However, other security experts suggest that it is too early to know exactly what happened. “I would caution anyone against jumping to rash conclusions because we don’t have a lot of details about whether there were physical losses associated with the attack,” Jim Doggett, chief information security officer at active directory security and recovery firm Sempris LLC, told SiliconANGLE. You don’t think they’re in the crosshairs of ransomware threat actors, but they are. To better prepare for the inevitable attack, organizations should regularly review their business risks, including the impact ransomware could have on their business.

Photo: Zhou Guanhuai / Wikimedia Commons