After Industrial and Commercial Bank of China ransomware attack, U.S. Treasury trades settled by bike messengers with flash drives.

ICBC Financial Services confirmed it suffered a ransomware attack. The Russian LockBit scrotes have been fingered as perps (or possibly a RaaS customer of theirs).

Citrix Bleed (CVE-2023-4966) might have been the vector. In today’s SB Blogwatch, we check everything’s patched.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: MCU continuity.

Plan B is Sneakernet

What’s the craic? Costas Mourselas, Kate Duguid, Joshua Franklin, Hannah Murphy and Stephen Gandel report—“Ransomware attack on ICBC disrupts trades in US Treasury market”:

“LockBit”
A ransomware attack on the financial services arm of China’s largest bank has disrupted the US Treasury market by forcing clients of … ICBC Financial Services … to reroute trades. … The attack had some effect on Treasury market liquidity, according to trading sources, but it was not impairing the market’s overall functioning..
…
Yields on Treasury bonds rose sharply on Thursday afternoon, after a particularly poor auction for 30-year bonds. The 30-year yield rose by 0.12 percentage points to 4.78 per cent. … Shares in ICBC fell 0.5%.
…
The attack was carried out using LockBit 3.0 software, according to two sources. The software was developed by LockBit, which has become one of the most high-profile criminal cyber groups. … Believed to operate out of Russia and eastern Europe, [it] also rents out its software to affiliates, a model known as RaaS, or ransomware as a service.

That does not sound good. Katherine Doherty, Liz Capo McCormick and Alex Harris add color—“World’s Biggest Bank Forced to Trade Via USB Stick”:

“Keeps them up at night”
A cyberattack … forced ICBC to send the required settlement details … by a messenger carrying a thumb drive as the state-owned lender raced to limit the damage. … The workaround — described by market participants — followed the attack by suspected perpetrator Lockbit, a prolific criminal gang with ties to Russia that has also been linked to hits on Boeing … and the UK’s Royal Mail.
…
The incident spotlights a danger that bank leaders concede keeps them up at night — the prospect of a cyber attack that could someday cripple a key piece of the financial system’s wiring, setting off a cascade of disruptions. Even brief episodes prompt bank leaders and their government overseers to call for more vigilance.

Russia attacking China? misja111 did not see that coming:

So it’s Russians hacking Chinese now? That’s an unexpected development.

It’s nothing if not entertaining. hdyoung breaks out the popcorn:

Russian cyberattack on China? Gotta love it. Putin is making sure he bites every hand that gets close to him.

However, Doctor Syntax assumes it’s not a sanctioned operation: [You’re fired—Ed.]

Given that Russia needs China to help bypass sanctions, I wonder if the price they have to pay might go up? Such as the Lockbit crew finding themselves conscripted into the sharp end of the Russian army.

Are you ready? Freddie Jones has questions—many of them:

So many questions:
• Are the Chinese faking this to remind the US how important they are to the Treasury market?
• Did this cause the weak 30 year treasury auction which caused a spike in yields?
• And would Russian gangsters really hack the Chinese?

How did they get in? Kevin Beaumont—@[email protected]—adds 2+2:

Industrial and Commercial Bank of China has a Citrix Netscaler box which on Monday was unpatched for #CitrixBleed still. That Citrix box is now offline.
…
Over 5000 orgs still haven’t patched #CitrixBleed. It allows complete, easy bypass of all forms of authentication and is being exploited by ransomware groups. It is as simple as pointing and clicking your way inside.

USB sneakernet, though? JBMcB wishes you to exit the grassed area:

Fun fact: When banks first started automating transactions via giant rooms full of IBM 360 mainframes, they would resolve the day’s bank-to-bank transactions by shipping pallets of 9-track tapes to a federal reserve clearinghouse. The clearinghouse’s mainframes would then resolve all the day’s transactions, write them back to the bank’s tapes, then ship them back to the banks to be loaded back in to their own mainframes. This would happen every night.
…
It still works more or less the same way: Transactions are queued up and shipped off to be resolved by the federal reserve. It’s all done over private networks nowadays, but the batch principle is still there. So, reverting back to filling up a USB drive with transactions and resolving them “by hand” … slows things down quite a bit, but that delay doesn’t break anything in the overall system, as it was designed with it in mind.

Meanwhile, SpeakingUp speaks up:

A ransomware attack on a Chinese bank? Isn’t that a bit like running over the Mafia Don’s son?

And Finally:

MCU Kebab

Previously in And Finally

You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi, @richij or [email protected]. Ask your doctor before reading. Your mileage may vary. Past performance is no guarantee of future results. Do not stare into laser with remaining eye. E&OE. 30.

Image sauce: sheng pan (via Pixabay; leveled and cropped)