The City of Potsdam severed the administration servers’ Internet connection following a cyberattack that took place earlier this week. Emergency services including the city’s fire department fully operational and payments are not affected.
Potsdam is the largest city and the capital of the German federal state of Brandenburg, bordering the German capital, Berlin.
The systems of the Brandenburg capital are still offline after the unauthorized access to the Potsdam administration’s servers was noticed on Tuesday and their Internet connection was shut down on Wednesday evening to prevent data exfiltration.
“We put our systems offline for security reasons, because we have to assume an illegal cyberattack,” Mayor Mike Schubert said two days ago. “We are working flat out to ensure that the affected administration systems are switched on again as soon as possible and that we can work safely again.”
“The background to this is a weak point in the system of an external provider, which attempts to retrieve data from the state capital from outside without authorization or to install malware,” an official statement says.
“In order to analyze the damage and to ensure the security of the data, external IT security companies and IT forensic experts are commissioned to support the IT specialists in the administration with their work.”
An update posted today further explains that Postdam’s administration cannot receive emails from outside and any incoming emails won’t be forwarded either.
Because of this, all citizens who need to reach out are asked to submit their applications in writing by post or call the Potsdam administration staff on the phone.
“All online-based applications of the city administration are currently not usable. These include the service facilities relevant to citizens, including the motor vehicle authority, the registry office of the registry office and the Maerker and Maerker Plus portal,” today’s update adds.
“The services in the Citizens Service Center are currently only available to a limited extent; in the citizen service you can still not pay with a card.”
The state capital has filed criminal charges against unknown persons and informed the federal and state agencies responsible for IT security and data protection. – Postdam administration
Vulnerable Citrix servers could be behind the attack
While the City of Potsdam’s updates on the cyberattack do not go into detail on what was the method the attackers used to infiltrate the network, German journalist Hanno Böck found Citrix ADC servers on the administration’s network vulnerable to attacks exploiting the CVE-2019-1978 vulnerability.
Böck says that the servers he found weren’t protected using mitigation measures provided by Citrix over a month ago.
Citrix released a free scanner for detecting hacked Citrix ADC appliances two days ago by digging for indicators of compromise (IoC) related to CVE-2019-19781 exploitation.
The Cybersecurity and Infrastructure Security Agency (CISA) also released a tool designed to test if Citrix servers are vulnerable on January 13, while the Dutch National Cybersecurity Centre (NCSC) advised companies to completely shut down vulnerable Citrix instances until reliable fixes are available.
Last but not least, Citrix started releasing permanent fixes for the actively exploited CVE-2019-19781 vulnerability, for all vulnerable versions of Citrix ADC, Citrix Gateway, and Citrix SD-WAN WANOP appliances.
The company is expected to patch the last supported firmware version later today with the release of a permanent fix for version 10.5.
Scans for vulnerable Citrix servers started on January 8, while proof-of-concept (PoC) exploits were publicly released two days later.
Unpatched Citrix servers used to infect targets with ransomware
To make matters worse if the City of Potsdam was actually infiltrated via an unsecured Citrix server, unpatched Citrix servers are currently being used as initial points of access to ransomware victims’ networks according to Under the Breach and FireEye security researcher Andrew Thompson.
“Very tactical preliminary update. It appears an actor is using CVE-2019-19781 for initial access, and other vulnerabilities to pivot into a Windows environment in order to deploy ransomware,” Thompson said. “If you haven’t already begun mitigating, you really need to consider the ramifications.”
“I examined the files #REvil posted from http://Gedia.com after they refused to pay the #ransomware,” Under the Breach said referring to the recent Sodinokibi ransomware attack affecting German GEDIA Automotive Group we reported yesterday.
“The interesting thing I discovered is that they obviously hacked Gedia via the #Citrix exploit. My bet is that all recent targets were accessed via this exploit.”
Even though there is no official statement saying that the cyberattack that forced the City of Potsdam to remove the administration’s servers from the Internet was a ransomware attack, all signs currently point to that direction.
BleepingComputer has reached out to the City of Potsdam for more details but had not heard back at the time of this publication (nor do we expect an answer until the city’s email systems are back up.)
H/T Günter Born