Ransomware attack on Chinese bank’s US subsidiary another warning signal

According to multiple news reports, ICBC Financial Services, the US arm of the Industrial & Commercial Bank of China (ICBC), one of China’s largest banks and amongst the world’s largest lenders by assets, has been hit by a ransomware attack.

Here are some key aspects of this cyberattack that are being reported in the media:

· The attack seems to have been the work of LockBit, a provider of Ransom-as-a-Service. LockBit’s ransomware is distributed by multiple affiliates, who all share in the ransom.

· This actor is believed to be behind attacks on Boeing and Royal Mail. In less than five years of its existence, it has attacked businesses in multiple countries. It is estimated that between 2020 and mid-2023, 1700+ of LockBit’s US victims have paid over US$90 million in ransom- in cryptoassets.

· Although ICBC was able to isolate and shut down the impacted financial systems, this resulted in some US Treasury market trades being blocked. Traders were unable to place orders or clear trades and so had to re-route orders to ensure that they were executed on time. However, ICBC has since issued a statement to say that it has successfully cleared Treasury trades executed on Wednesday and repurchase agreement financing trades done on Thursday.

· LockBit’s attack vector is believed to be programmed in a way that makes it self-propagating. This autonomous capability makes it somewhat unique.

· Once LockBit gains access to the victim’s network, it encrypts all data in the latter’s systems. Unless a ransom is paid, the company does not get the decryption key, which obviously has serious impact on operations at least till such time that business continuity plans are fully enabled. LockBit is also known to threaten release of confidential data if the ransom is not paid- which is essentially a double whammy for the victim.

· Cyber security expert Kevin Beaumont is of the view that in the ICBC case, the attackers exploited “a Citrix Netscaler box that was unpatched for a bug known as CitrixBleed, which allows the bypass of authentication”.

(source:https://www.theregister.com/2023/11/10/icbc_ransomware/).

Despite Citrix having released a patch for this vulnerability a month ago, many organizations had still not applied the patch.

Cyberthreats are becoming more pervasive and many more attackers are successfully breaching the defences of top tier enterprises around the world. The top six reasons for cyberthreats are social engineering, poor cyber-hygiene amongst employees or business partners, vulnerabilities in mobile device, configuration errors, exposure via third-parties and IoT devices.

Cyberattacks are no longer limited to specific sectors or countries. Victims include the government and public sector, healthcare, banking and financial services, entertainment etc. Cybersecurity is not the responsibility of CISOs and CSOs alone- all members of the ecosystem must work closely with each other to share information around threats and best practices and tighten regulations.