US Treasuries Trading Affected by Ransomware HackThe LockBit Ransomware Operation May Have Exploited Citrix Bleed
A ransomware attack affecting the New York financial services subsidiary of the Industrial and Commercial Bank of China resulted in disruptions to the U.S. Treasuries market.
China's largest commercial lender said hackers had penetrated certain trading systems on Wednesday, causing it to disconnect and isolate affected computers. It successfully cleared Treasury trades executed on Wednesday and repo financing on Thursday, a notice on the bank's website states.
Reuters reported Friday that some market participants said trades going through ICBC were not settled due to the attack, affecting market liquidity.
With 2022 revenue amounting to $214.7 billion and profits of $53.5 billion, ICBC is the largest commercial bank in the world by revenue, according to Fortune. The Financial Times reported that its New York financial services division has become a key player on Wall Street in clearing Treasuries for Chinese lenders.
"We are aware of the cybersecurity issue and are in regular contact with key financial sector participants, in addition to federal regulators. We continue to monitor the situation," a U.S. Department of the Treasury spokesperson told multiple news outlets.
The Biden administration has sought to tamp down ransomware through a growing coalition of global partners. Members of the International Counter Ransomware Initiative met just days ago, as security researchers warned that the volume of known ransomware attacks has surged to record-breaking levels (see: Global Government Coalition Launching New Ransomware Efforts).
Ransomware monitor vx-underground tweeted that it had received confirmation from ransomware group LockBit that it is responsible for the attack. The group has not listed Industrial and Commercial Bank of China on its leak website, but that absence is not authoritative, said Allan Liska, a ransomware analyst at cybersecurity firm Recorded Future. "It is still very early in the attack so it is unlikely that they would appear on the site at this point. That may change because of all the attention the attack has received," he told Information Security Media Group.
The attack, likely from a LockBit affiliate, "shows the increasing sophistication of ransomware groups and their ability to gain access to even the most difficult targets," he added.
A spokesman for the Chinese Ministry of Foreign Affairs told reporters Friday that "ICBC is closely following this and has taken effective emergency response measures and engaged in proper supervision and communication in order to minimize risk," according to an official translation of the ministry's daily press briefing. ICBC Financial Service's business and email systems operate independently of its parent company, so other domestic and overseas affiliated institutions were not affected by this incident, the financial institution said.
British security researcher Kevin Beaumont said in a Mastodon post that through a query on internet of things search engine Shodan he had spotted an unpatched Citrix NetScaler box on the ICBC-FS network. Ransomware hackers are exploiting a recently patched vulnerability in NetScaler devices known as Citrix Bleed (see: Ransomware Groups Exploiting Unpatched NetScaler Devices).
Beaumont on Thursday reiterated that Citrix Bleed allows hackers to bypass "all forms of authentication," since they can steal session tokens. "It is as simple as pointing and clicking your way inside orgs - it gives attackers a fully interactive Remote Desktop PC the other end," he said.