China's top bank ICBC hit by ransomware, derailing global trades

CitrixBleed patch has been available for around a month

China's largest bank, ICBC, was hit by ransomware that resulted in disruption of financial services (FS) systems on Thursday Beijing time, according to a notice on its website.

"Immediately upon discovering the incident, ICBC FS disconnected and isolated impacted systems to contain the incident," said the bank’s financial services division, which added that it was both investigating and progressing recovery efforts.

ICBC detailed that its FS business and email systems operate independently from the bank itself, and that domestic and overseas affiliates were not affected.

The incident has disrupted US Treasury markets, according to the Financial Times, which first reported the story. The US Securities Industry and Financial Markets Association (SIFMA) reportedly told its members that the incident could prevent the settling of trades on behalf of other market players.

Malware research group vx-underground revealed it was aware of equity traders that were unable to place or clear trades though ICBC.

Some had received an emergency notice stating that ICBC was unable to connect to the Depository Trust and Clearing – an issue that was impacting all of ICBC's clearing customers – and that due to the attack orders were not being accepted.

"We successfully cleared US Treasury trades executed Wednesday (11/08) and Repo financing trades done on Thursday (11/09)," stated ICBC FS in the notice on its website Friday.

According to Reuters, LSEG data showed the Treasury market functioning normally.

As spotted by Recorded Future, cyber security expert Kevin Beaumont deduced that ransomware gangs had exploited a Citrix Netscaler box that was unpatched for a bug known as CitrixBleed, which allows the bypass of authentication.

Beaumont noted that over 5,000 orgs were yet to patch CitrixBleed, which is tracked as CVE-2023-4966.

Citrix initially issued a patch for the vulnerability on October 10. Two weeks later, the collaboration giant urged admins to apply a fix immediately after it had received "reports of incidents consistent with session hijacking, and have received credible reports of targeted attacks exploiting this vulnerability."

The Register understands the hack is suspected to come from ransomware gang LockBit.

The prolific threat actor is believed to have raked in more than $90 million in over 1,700 attacks between 2020 and mid-2023. The gang has a large number of affiliates which pay fees, including subscriptions, in exchange for a cut of the ransom payments.

Last month LockBit took out Boeing's parts and distribution website, which is still "down due to technical issues."

In the past it has also been known to hit hospitals and government orgs.

"Ransomware is disrupting everything from hospitals to financial markets. The problem is as bad as it's ever been, and governments' current counter-ransomware strategies are very clearly not working," Emsisoft threat analyst Brett Callow told The Register.

"In my opinion, the time has come for serious consideration to be given to a prohibition on the payment of demands, or at least severely restricting the circumstances in which they can be paid. That may be the only way we can bring an end to this constant barrage of financially motivated attacks," he added. ®

More about


Send us news

Other stories you might like