OCCIP issues update on ransomware incident targeting financial institution

The Treasury’s Office of Cybersecurity and Critical Infrastructure Protection (OCCIP) has been working closely with its financial services sector partners—namely the Securities Industry and Financial Markets Association (SIFMA) and the Financial Sector Information Sharing and Analysis Center (FS-ISAC)—as well as regulatory agencies to respond to a ransomware incident last week targeting a financial institution.

OCCIP encourages all members of the financial services sector to review the relevant alerts and take proper mitigation actions to ensure they are prepared to address the challenges posed by these threats.

The ransomware attack appears to stem from three previously flagged threats and/or vulnerabilities:

• Lockbit 3.0 ransomware.
• the “Citrix Bleed” Citrix NetScaler ADC and Gateway Vulnerability (CVE-2023-4966).
• Denial of Service in NetScaler ADC and NetScaler Gateway (CVE-2023-4967).

According to OCCIP, the two Citrix vulnerabilities are still being assessed by incident response teams and will take several days to confirm but are worth noting based on current information available to the Treasury. 

The Federal Bureau of Investigation (FBI) and the Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) issued a joint Cybersecurity Advisory that similarly highlighted the threat posed by Lockbit 3.0 in March.

Recently, CISA also released products examining the “Citrix Bleed” vulnerability, including guidance alerting the public to active, targeted exploitation of a vulnerability (CVE-2023-4966) affecting Citrix NetScaler ADC and NetScaler Gateway.

The affected products contain a buffer overflow vulnerability that allows for sensitive information disclosure.