World’s Biggest Bank hacked: ICBC may have failed to patch "Citrix Bleed" vulnerability

Courier dispatched with a USB stick carrying trade settlement details after systems disrupted...

World’s Biggest Bank hacked: ICBC may have failed to patch "Citrix Bleed" vulnerability
ICBC ransomware Citrix

The world’s biggest bank, China’s Industrial & Commercial Bank of China (ICBC), sent a courier carrying trade settlement details across Manhatten on a USB stick, after a ransomware attack this week that roiled markets – and which may have come after it failed to patch a Citrix vulnerability.

The ransomware attack on ICBC’s US arm took place on November 8 and “resulted in disruption to certain FS systems” the firm said in a notice on its website: “Immediately upon discovering the incident, ICBC FS disconnected and isolated impacted systems to contain the incident.”

The incident hit trading of Treasuries by the bank, which said that it had “successfully cleared US Treasury trades executed Wednesday (11/08) and Repo financing trades done on Thursday (11/09)” – Bloomberg reported that trades had been settled after a messenger carrying a USB stick with trade details was dispatched to hand them physically to counterparties (which hopefully opened them in a suitable sandboxed environment…)

LockBit, which also hit financial markets firm ION earlier this year (an incident that also disrupted markets) has claimed the attack.

Security researcher Kevin Beaumont spotted on Shodan that ICBC’s US unit had left Citrix Netscaler box that on Monday was still unpatched for the Citrix Bleed vulnerability (CVE-2023-4966), which CISA notes has been used in “active, targeted exploitation” campaigns in recent weeks. 

Mandiant reports that successful exploitation of the Citrix Bleed vulnerability began in late August and allows session takeovers by attackers that bypass password and multi-factor authentication (MFA).

A recent spate of ransomware attacks by the Cl0p ransomware has also seen attackers leverage CVE-2023-47246, a critical new zero day in IT service management software from SysAid first reported the same day that ICBC was attacked. The software offers “remote control and monitoring” of computers and servers. Widespread exploitation could as well as letting users and the bug disclosed on November 8. T

The latest version of SysAid Server 23.3.36 is the recommended patch and update “we strongly urge you to install as soon as possible” said SysAid.

Huntress Labs, Rapid7, and Profero, which discovered the vulnerability, have all shared details on the SysAid vulnerability, exploitation of which has the potential to spiral into significant supply chain-type attacks.

As Bloomberg notes, ransomware attacks against Chinese firms are rare “in part because China has banned crypto-related transactions, according to Mattias Wåhlén, a threat intelligence specialist at Truesec. That makes it harder for victims to pay ransom, which is often demanded in cryptocurrency because that form of payment provides more anonymity.” 

Follow The Stack on LinkedIn