China's largest commercial bank hit by ransomware
ICBC confirms an attack that halted some trades
The Industrial & Commercial Bank of China (ICBC), China’s largest commercial bank, was hit by a ransomware attack earlier this week.
In a notice on its website, the bank says: "ICBC Financial Services (FS) experienced a ransomware attack that resulted in disruption to certain FS systems. Immediately upon discovering the incident, ICBC FS disconnected and isolated impacted systems to contain the incident."
ICBC FS says it is conducting investigations and initiating a recovery of the affected systems. It has reported the incident to law enforcement authorities.
The Financial Times reported yesterday that the incident had caused equities clearing problems, and that some customers had been forced to reroute trades. ICBC's notice says that these issues have been resolved, and that disruption had been limited to a few systems.
"ICBC FS's business and email systems operate independently of the Industrial and Commercial Bank of China Group," it said.
"The systems of the ICBC Head Office and other domestic and overseas affiliated institutions were not affected by this incident, nor was the ICBC New York Branch."
In a media briefing on Friday, Chinese foreign ministry spokesperson Wang Wenbin said ICBC has been "closely monitoring the matter and has done its best in emergency response and supervisory communication."
CitrixBleed to blame?
Security expert Kevin Beaumont said on Mastodon that the ICBC was one of thousands of organisations with vulnerable Citrix NetScaler infrastructure that had not been patched for the CitrixBleed flaw (CVE-2023-24489).
"That Citrix box is now offline," Beaumont noted. However, there is no evidence so far that this was the entry point exploited by the attackers.
Others have speculated that the Russia-linked LockBit gang, or another criminal group using its malware, could be behind the attack. Such groups "specifically to seek out vulnerabilities such as being able to bypass authentication," said Jake Moore, global cybersecurity advisor at security vendor ESET, adding that such attacks are commonly followed by data theft then a range of ransom demands.
"Once data has been stolen, the extortion tactics occur in order to make more money, even if a backup process is in place."
Martin Mackay, CRO at Versa Networks, said that if an unpatched Citrix Netscaler box was indeed the entry point, it was worrying that an organisation of ICBC's size had not patched it in time. Remediation has been available for more than four weeks, he noted.
"This is why it's so important that organisations have strong basic security hygiene processes in place such as updating software and implementing patches as and when they become available. When fixes are available, such incidents and the catastrophic impact they have, are easily avoidable."