Ransomware: Are Potsdam and Gedia Shitrix victims?

[German]Well, I haven't found a 'smoking gun', but it turns out that the cyber attacks of the city of Potsdam (Germany) and German automotive supplier Gedia were possible via the Shitrix vulnerability in the Citrix ADC (Netscaler).


Advertising

What is the Shitrix vulnerability?

On December 17, 2019, the Citrix ADC (Application Delivery Controller, formerly Netscaler) announced the CVE-2019-19781 vulnerability, for which no patch was available. I had reported this on December 24th in the article Vulnerability in Citrix Apps put companies at risk. A workaround was published by Citrix, which required administrators to seal their Citrix appliances against exploitation of the vulnerability.

Missing mitigation worldwide

By the time Proof of Concept (PoC) exploits were available to exploit the vulnerability – and honeypots had already been attacked – in the 2nd week of January 2020, it was already too late for some people. I did warn about the vulnerability again (see PoC for Citrix ADC/Netscaler vulnerability CVE-2019-19781). But I had seen a comment at German news site heise, where someone wrote that 7 customers had already had their netscaler broken into. Nevertheless, more than 25,000 netscalers alone were still being operated in a vulnerable manner via the Internet.  

Since a few days firmware updates are available – I have reported here in the blog (see the article at the end of the post). My last post Citrix vulnerability: New updates and scanners for testing also deals with a scanner that can detect compromised Citrix ADC appliances.

Potsdam and Gedia are Victims of a Cyber Attack

If my information is not completely wrong, there is now much to suggest that the city administration of Potsdam has been hit by the Shitrix vulnerability. The city of Potsdam said that 'apparently a vulnerability in an external provider's system was exploited'. I have information that Potsdam was on a list of hosts vulnerable to attack via the Citrix Netscaler. A security journalist describes it this way: "Potsdam still had vulnerable systems on the net several weeks after the vulnerability was discovered. I added the information in the blog post City of Potsdam (Germany) offline – IT Servers shutdown.


Advertising

And also the ransomware infection at the automotive supplier Gedia, reported a few hours ago (see German Automotive Supplier Gedia Ransomware Victim), was probably caused by the Citrix vulnerability. I have seen a statement from a security researcher who looked at the documents published by the Sodinokibi group. The attack was carried out by this group via the Sodinokibi ransomware, and the cyber criminals are threatening to publish the captured 50 GBytes of Gedia data because Gedia does not pay. The security researcher writes:

I examined the files #REvil posted from http://Gedia.com after they refused to pay the #ransomware.

the interesting thing I discovered is that they obviously hacked Gedia via the #Citrix exploit

my bet is that all recent targets were accessed via this exploit.

The image shows config data for virtual machines (VMs) at gedia.com. Besides a Windows Server 2003 standard, Windows 7 clients, Windows 8 and Windows 10 computers and Oracle Solaris systems with the Citrix Netscaler are listed. This is not a 'smoking gun', because the Citrix ADC appliances could have been hardened against the Shitrix vulnerability using the Citrix workaround.

Similar articles:
Vulnerability in Citrix Apps put companies at risk
PoC for Citrix ADC/Netscaler vulnerability CVE-2019-19781
Further actions required for Citrix Netscaler vulnerability
Citrix vulnerability: New updates and scanners for testing
German Automotive Supplier Gedia Ransomware Victim
City of Potsdam (Germany) offline – IT Servers shutdown


Advertising

This entry was posted in Security and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

Note: Please note the rules for commenting on the blog (first comments and linked posts end up in moderation, I release them every few hours, I rigorously delete SEO posts/SPAM).