Executive Summary

The recent cyberattack on the Industrial and Commercial Bank of China (ICBC) by the LockBit Ransomware Group has sent shockwaves through the financial sector, particularly affecting the U.S. Treasury market. This attack highlights the vulnerabilities within critical financial infrastructures and underscores the urgent need for enhanced cybersecurity measures. The incident not only disrupted ICBC's operations but also had significant financial repercussions, emphasizing the evolving threat landscape posed by ransomware groups.

Technical Information

The ICBC cyberattack is a stark reminder of the sophisticated tactics employed by ransomware groups like LockBit. This group is notorious for its high-profile attacks, leveraging a network of affiliates to infiltrate systems through compromised credentials, phishing, and exploiting vulnerabilities in VPNs. The attack on ICBC involved the exploitation of specific vulnerabilities in the Citrix NetScaler product suite, namely CVE-2023-4966 and CVE-2023-4967. These vulnerabilities allowed the attackers to gain unauthorized access, leading to information disclosure and denial-of-service conditions. The attack forced ICBC to inject capital into its U.S. division to settle trades and repay debts, highlighting the severe impact on financial operations.

LockBit's modus operandi involves executing command-line actions and using hacking scripts to disable security products. The group is adept at leveraging Windows' built-in tools for data recovery exceptions, making it challenging for organizations to detect and mitigate their activities. The attack on ICBC is part of a broader trend of ransomware incidents, with LockBit accounting for a significant percentage of cases in the U.S. and Canada. The financial sector, particularly in the U.S., remains a prime target for such attacks, given the potential for substantial financial gain and disruption.

Exploitation in the Wild

The exploitation of vulnerabilities by LockBit in the ICBC attack involved specific tactics that have been observed in other incidents. The group utilized compromised credentials to gain initial access, followed by the deployment of ransomware through phishing campaigns and VPN vulnerabilities. Indicators of Compromise (IOCs) include unusual network traffic patterns, unauthorized access attempts, and the presence of LockBit-specific ransomware signatures. The attack on ICBC serves as a case study for understanding the methods employed by ransomware groups and the need for robust detection and response mechanisms.

APT Groups using this vulnerability

The LockBit Ransomware Group is the primary actor exploiting the vulnerabilities in the Citrix NetScaler product suite. This group has a history of targeting critical infrastructure sectors, including finance, healthcare, and government, across various countries. Their activities have been observed in the U.S., Canada, and parts of Europe, with a focus on sectors that can yield high financial returns or cause significant disruption.

Affected Product Versions

The vulnerabilities exploited in the ICBC attack are specific to the Citrix NetScaler product suite. The affected versions include those with the CVE-2023-4966 and CVE-2023-4967 vulnerabilities. Organizations using these products are advised to review their systems for potential exposure and apply necessary patches and updates to mitigate the risk of exploitation.

Workaround and Mitigation

To mitigate the risk of ransomware attacks, organizations should implement a multi-layered security approach. This includes network segmentation, regular security awareness training for employees, and maintaining clean and secure backups. The U.S. Cybersecurity & Infrastructure Security Agency (CISA) recommends following the least privilege best practices, enabling PowerShell logging, and adopting zero-trust architectures. Regular patching and updating of systems, particularly those with known vulnerabilities like Citrix NetScaler, are crucial in preventing exploitation.

References

For further reading and detailed analysis, please refer to the following resources:

• ThriveDX article on the ICBC cyberattack: Analyzing the ICBC Cyberattack - New Chapters in Ransomware (https://thrivedx.com/resources/article/analyzing-the-icbc-cyberattack-new-chapters-in-ransomware)
• U.S. Cybersecurity & Infrastructure Security Agency advisory on LockBit
• Google Cloud's Cybersecurity Forecast for 2024
• EclecticIQ Blog: LockBit Cyberattack On ICBC (https://blog.eclecticiq.com/chatgpt-vulnerability-lockbit-cyberattack-on-icbc-us-water-authority-hacked)

Rescana is here for you

At Rescana, we are committed to helping our customers navigate the complex cybersecurity landscape. Our Continuous Threat and Exposure Management (CTEM) platform is designed to provide comprehensive threat intelligence and proactive defense strategies. We are here to assist you in understanding and mitigating the risks associated with cyber threats. Should you have any questions about this report or any other cybersecurity concerns, please do not hesitate to contact us at ops@rescana.com.