China’s largest bank hit by ransomware attack

LockBit used a well-documented vulnerability to hit ICBC

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

ICBC, the largest bank in China, suffered a devastatingransomwareattack which disrupted its financial services (FS) systems, with a knock-on effect of affecting US Treasury markets, and sending ripples across the global financial world.

Multiple news outlets reported that ICBC was attacked by LockBit, a ransomware operation with possible ties to Russia. However, as LockBit is a ransomware-as-a-service operation, the culprits could actually be any one of its affiliates.

It’s not yet known how much money the attackers are demanding in exchange for the decryption key, or if they managed to steal any sensitive data during the attack.

Reader Offer: $50 Amazon gift card with demoPerimeter 81’s Malware Protection intercepts threats at the delivery stage to prevent known malware, polymorphic attacks, zero-day exploits, and more. Let your people use the web freely without risking data and network security.

Preferred partner (What does this mean?)

CitrixBleed

A notice on the ICBC website says that upon noticing the incident, ICBC FS “disconnected and isolated impacted systems to contain the incident," adding that an investigation was underway, as well as recovery efforts. ICBC’s financial services business and email systems operate independently from the bank, as well as overseas affiliates which didn’t seem affected by the attack.

Cybersecurity researcher Kevin Beaumont argues that the attackers leveraged a known vulnerability in Citrix Netscaler boxes, called CitrixBleed, to move past any authentication protocols. CitrixBleed is tracked as CVE-2023-4966 and carries a severity score of 9.4. It was patched a month ago. In the time after the release of the patch, both Citrix and other security firms warned about the vulnerability being abused in the wild. Even CISA sounded the alarm, saying ransomware actors were abusing it, and urging users to apply the patch immediately.

As per the Financial Times, the attack disrupted US Treasury markets, too. The US Securities Industry and Financial Markets Association (SIMFA) told their members the attack could block trade settling on behalf of other market players, The Register reported. Some equity traders weren’t able to place, or clear, trades, other media reported.

Ransomware operators have been getting bolder, lately. In fact, with more than 500 recorded attacks, September was a record month.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

ViaThe Register

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

This new malware utilizes a rare programming language to evade traditional detection methods

A new form of macOS malware is being used by devious North Korean hackers

Arcane season 2 confirms the hit series isn’t just one of the best Netflix shows ever made – it’s an animated legend that’ll stand the test of time