The Industrial and Commercial Bank of China (ICBC), the world’s largest commercial bank, experienced a ransomware attack on its U.S. arm, ICBC Financial Services (FS). This incident, occurring on November 8, 2023, U.S. Eastern Time, led to significant disruptions in the U.S. Treasury market and affected certain FS systems of ICBC. Read more at Reuters
Details of the Incident
- Target: ICBC Financial Services, a subsidiary of ICBC, located in New York.
- Impact: The ransomware attack resulted in the disruption of financial services systems, impacting global trades.
- Response: ICBC FS promptly reported the incident to law enforcement and took measures to contain the attack. More details on Cybernews
Associated Vulnerabilities
One of the vulnerabilities that could potentially be linked to this incident is CitrixBleed, identified as CVE-2023-4966. This critical vulnerability, with a CVSS score of 9.4, involves information disclosure risks in Citrix’s NetScaler ADC and NetScaler Gateway. An unauthenticated attacker could exploit this to hijack an authenticated session, leading to additional access within the target environment and potential collection of other account credentials. GreyNoise analysis on CVE-2023-4966
Mitigation and Response
- CitrixBleed (CVE-2023-4966): Organizations are urged to patch immediately, as recommended by CISA, which has added this vulnerability to its Known Exploited Vulnerabilities Catalog. Mass exploitation of this vulnerability has been observed, and Citrix has released patches to address it. Qualys ThreatPROTECT on CitrixBleed
MITRE ATT&CK TTPs
- T1486 – Data Encrypted for Impact: This TTP covers scenarios where ransomware is used to encrypt data in a targeted system, which aligns with the nature of the ICBC incident. MITRE ATT&CK TTP T1486