China’s largest bank, the Industrial and Commercial Bank of China Ltd., has been hit by a ransomware attack that has disrupted U.S. Treasury markets.

The Financial Times was first to report that ICBC had been targeted in the ransomware attack, which came from the Securities Industry and Financial Markets Association on Wednesday. The attack prevented ICBC from settling treasury trades on behalf of other market participants, with some equity trades also affected.

To address ICBC’s inability to settle trades, market participants are said to have diverted trades. Although the attack had some impact on Treasury market liquidity, it did not impair the market as a whole.

The nature of the ransomware has not been disclosed along with the emergency information. issued to traders It is simply being referred to as an “incident”. The notice said ICBC could not connect to the Depository Trust and Clearing Corporation and the National Securities Clearing Corporation and, therefore, is temporarily suspending all inbound FIX connections. The FIX connection allows market participants to send and receive messages such as trade orders, settlement instructions and account statements from DTCC.

ICBC was starting to restore services on Thursday afternoon. The bank has not yet commented on the attack.

Although the nature of the ransomware used in the attack is not known at this time, Kevin Beaumont, security researcher at Mastodon, points to one possible attack path, a Cisco NetScaler box operated by ICBC, which will be bleeding through at least Monday. The vulnerability was unpatched. , Specifically, the particular NetScaler box is currently offline.

The Citrix bleed, tracked as CVE-2023-4966, was discovered in October and highlighted in an alert from the US Cybersecurity and Infrastructure Agency on November 7. The vulnerability is described as potentially resulting in sensitive information disclosure in the NetScaler ADC and NetScaler Gateway when configured as a gateway.

According to Beaumont, the vulnerability “allows complete, easy bypass of all forms of authentication and is being exploited by ransomware groups” and can be exploited as easily as “pointing and clicking your way”. Could. [organizations] – This gives attackers a fully interactive remote desktop PC on the other side.

However, other security experts are suggesting it is too early to know exactly what happened. Jim Doggett, chief information security officer at Active Directory security and recovery company Sempris LLC, told SiliconANGLE, “I caution anyone from jumping to conclusions because we don’t have many details about what physical harm was associated with the attack.” Had it happened or not? I regularly talk to companies who don’t believe they are the targets of ransomware threat actors, but they are. To better prepare for the inevitable attack, organizations should regularly review business risk, including the impact ransomware will have on their business.

Photo: Zhou Guanhuai/Wikimedia Commons

Source: siliconangle.com