[German]The city of Potsdam, located near Berlin/Germany, has shut down its servers. E-mails no longer reach the staff, ID cards can no longer be applied for, etc. The administration is virtually at hold. Addendum: Added information about Citrix ADC vulnerability.
The site rbb24 writes here, dass die Stadt Potsdam wohl Ziel eines Cyber-Angriffs geworden sei. that the city of Potsdam has probably become the target of a cyber attack. According to a statement by the administration (German), in the past two days "numerous inconsistencies have been discovered in central network access points in the state capital". A weakness in the system of an external provider was apparently exploited. An attempt has been made "to retrieve data from the state capital or to install malware without authorization from outside" is said.
Lord Mayor Mike Schubert (socialist party SPD) announced this already on Wednesday evening. "We have taken our systems offline for security reasons, because we have to assume an illegal cyber attack," said Schubert. "We are working flat out to ensure that the affected systems of the administration are switched back on as soon as possible and that we can work safely again. Until then, we ask for your patience in all matters concerning the citizen service facilities," says Schubert
As a result of this attack, the administration is only accessible to a limited base. Citizen services such as applications for identity documents or registration and re-registration are only available to a limited extent.
In order to analyze the damage and to ensure the security of the data, external IT security companies and IT forensic experts are commissioned to support the IT specialists of the administration in their work. The state capital has filed criminal charges against unknown persons and informed the state offices responsible for IT security and data protection.
By turning off the network connections, the administration is currently unable to send or receive e-mail. Also all process software can currently only be used to a limited extent. In particular, applications for identity cards and passports or registrations and changes of registration are currently not possible. The telephones are not affected by this. In this article (German) it was announced that apparently no data was tapped.
Citrix ADC in use …
Addendum: At present, I do not know what the phrase 'apparently a vulnerability in the system of an external provider has been exploited' exactly means. I wonder if the specialists will investigate. But I just found some interesting tweets.
Informiert hatte ich die nicht, dafür war die Liste einfach zu lang, ich hatte "nur" bei Bundes- und Landesbehörden angerufen. Ich hatte die Liste an @certbund weitergegeben, die meinten aber sie informieren Leute eh schon.
— hanno (@hanno) January 24, 2020
The tweet from German security journalist Hanno Böck says, that he found two domains used by Potsdam municipal systems on a list with vulnerable Citrix ADCs. And Hanno Böck ends with:
In any case: Potsdam hatte mehrere Wochen nachdem die Lücke bekannt war noch verwundbare Systeme am Netz.
— hanno (@hanno) January 24, 2020
They was using vulnerable and not mitigated Citrix Netscalers several weeks after the Shitrix thing became public. Don't know, if this was the root case – but 'A weakness in the system of an external provider was apparently exploited' smells in that direction.
Cookies helps to fund this blog: Cookie settings