The Industrial and Commercial Bank of China Ltd., China’s largest bank, has been struck by a ransomware attack that disrupted U.S. Treasury markets.

First reported by the Financial Times, the news that ICBC had been targeted in a ransomware attack came from the Securities Industry and Financial Markets Association on Wednesday. The attack prevented ICBC from settling Treasury trades on behalf of other market participants, with some equity trades also affected.

To overcome the inability of ICBC to settle trades, market participants are said to have rerouted trades. Although the attack did have some effect on Treasury market liquidity, it did not impair the market overall.

The form of ransomware has not been disclosed, with an emergency notice issued to traders only referring to it as an “incident.” The notice said that ICBC could not connect to the Depository Trust & Clearing Corporation and the National Securities Clearing Corporation and, as such, was temporarily suspending all inbound FIX connections. FIX connections allow market participants to send and receive messages from the DTCC, such as trade orders, settlement instructions and account statements.

ICBC was starting to restore services as of Thursday afternoon. The bank has yet to comment on the attack.

Although the form of ransomware used in the attack is currently not known, security researcher Kevin Beaumont on Mastodon points to a possible attack path, a Citrix Netscaler box run by ICBC, which, at least as of Monday, was unpatched for the Citrix Bleed vulnerability. Notably, the particular Netscaler box is currently offline.

Citrix Bleed, tracked as CVE-2023-4966, was discovered in October and was highlighted in an alert from the U.S. Cybersecurity and Infrastructure Agency on Nov. 7. The vulnerability is described as a sensitive information disclosure in NetScaler ADC and NetScaler Gateway when configured as a Gateway.

According to Beaumont, the vulnerability “allows complete, easy bypass of all forms of authentication and is being exploited by ransomware groups” and can exploited as easily as ” pointing and clicking your way inside [organizations] — it gives attackers a fully interactive Remote Desktop PC the other end.”

However, other security experts are suggesting that it’s too early to know precisely what has happened. Jim Doggett, chief information security officer at active directory security and recovery company Sempris LLC, told SiliconANGLE, “I caution anyone from jumping to rash conclusions as we don’t have many details on whether there were material losses associated with the attack. I speak to companies regularly that don’t believe they are in the crosshairs of ransomware threat actors, but they are. To better prepare for the inevitable attack, organizations should regularly review business risk, including the impact ransomware could have on their business.”

Photo: Zhou Guanhaui/Wikimedia Commons