ICBC: World’s biggest bank hacked due to suspected Citrix Bleed vulnerability (CVE-2023-4966)

ICBC: World’s biggest bank hacked due to suspected Citrix Bleed vulnerability (CVE-2023-4966)

It all started when the United States wing of the Industrial & Commercial Bank of China (ICBC) became a target of cyber-attacks.  It caused massive disruption in financial trade and FS systems even though the firm assured its associated parties that they had already taken measures for the cyber incident.

The attack has caused tremors across financial institutions in the United States, causing a massive hit to the trading of the Treasuries that the bank was responsible for.   

What makes this a shocker to many cybersecurity experts is that Chinese firms are rare targets of ransomware attacks.  

It is because China is known for banning of the use of cryptocurrency.  Most of the attackers prefer cryptocurrency as a mode of payment.  It is because of the anonymity that it provides, making it difficult for authorities to find them.  The bank has assured settlement to all the associated parties of all the US Treasury trades executed on the 8th of November and the 9th of November. 

The details of the respective trades were physically dispatched to the counterparties via a USB stick. Many cybersecurity experts are suggesting that the attack was caused primarily through the effective exploitation of the Citrix Netscaler box that was not fully patched for security vulnerabilities such as Citrix Bleed (CVE-2023-4966).   

By effectively exploiting CVE 2023 4966, an attacker can bypass even strong passwords and multi-factor authentication (MFA) making it highly dangerous.   

According to the CISA, the vulnerability has been actively being exploited by many cyber criminals in active targeted campaigns in the earlier weeks. Many ransomware attackers have effectively exploited this vulnerability to engage in complex ransomware attacks.   

The cl0p ransomware attack that has caused millions of business losses for hundreds of businesses across the globe was also carried out using the CVE 2023 47246 vulnerability. An IT service company reported the presence of the vulnerability in their service management software SysAid on the same day as the ICBC attack.   

The SysAid IT service management software allows users to monitor and control servers and computers remotely. SysAid has asked its users to install the latest version of their software since it comes with all the fixes and patches for the said vulnerability that is actively being exploited.   

Experts are suggesting that effective exploitation of the SysAid vulnerability could further escalate to wide-scale attacks such as supply chain attacks.   

SharkStriker’s recommendations

We suggest the following proactive measures to secure your business from ransomware attacks: 

• Encrypt and backup your data 
• Use layered security – login location and MFA 
• Create and implement strong password policies and use password managers whenever possible 
• Use endpoint security  
• Prioritize cybersecurity 

Here are some first steps that we recommend in case of ransomware attacks: 

1. Isolate Infected Systems:

The first step would be to immediately disconnect the infected system that is connected to the network to prevent the ransomware from further spreading to other connected devices.  

2. Identify the Ransomware: 

To find an effective decryption for the ransomware, you have to identify the ransomware. You can do this by checking the type of extension used to encrypt files.   

3. Alert Authorities:

Immediately report the incident to your local law enforcement agencies. It could be the cybercrime unit of your locality or the police. Communicate organization-wide about the ransomware incident.  

4. Assess the Damage: 

Identify the affected systems and data and the extent of the damage as it will help you plan the recovery more precisely   

5. Decide on a Recovery Strategy:

Upon evaluation of the affected systems and data decide whether you want to restore systems from available clean backups or reset them from scratch.  

6. Restore from Backup:

Engage in restoration if you already possess an updated backup that is neither compromised nor encrypted by the attack.  

7. Patch and Update:

Post-recovery, perform an update check for all your software and systems for updates with the latest security patches.  

8. Implement Security Measures:

Implement proactive measures against future attacks. It means implementing the best practices for cybersecurity and raising awareness across different levels of the organization.   

9. Forensic Analysis:

 Take assistance from experts to conduct a forensic analysis of the complete incident, identifying all the potential vulnerabilities for proactive security against future incidents.  

10. Review and Update Security Policies:

Upgrade all your organizational security policies and procedures to mitigate the possibilities of future attacks.

Technical recommendation  

If your organization uses SysAid software, install all the latest updates with security patches.  The following are some of the recommended further steps in case you are using builds of software that are affected by the said vulnerability.  

It is also recommended that you kill all the active and persistent sessions using the following commands (without any change in the formatting): 

kill icaconnection -all 
 
kill rdp connection -all 
 
kill pcoipConnection -all 
 
kill aaa session -all 
 
clear lb persistentsessions 

The SDX hardware is not affected as per experts. Upgrade VPX instances if you are using NetScaler ADC or NetScaler Gateway instances on SDX hardware.