[German]Both the German city of Brandenburg an der Havel and the municipality of Stahnsdorf in the district of Potsdam-Mittelmark (Germany) have gone offline and turned off their IT systems a cyber attack and are working in emergency mode. Here too, Citrix ADC/Netscaler gateways were the cause of successful attacks.
At the moment, the IT landscape of German authorities, universities and companies is buzzing with activity. Before Christmas, universities like Frankfurt, Gießen or Freiburg were hit, and during the last days were companies like Gedia and the city of Potsdam. So now other administrations are affected.
City of Brandenburg is offline
The German city of Brandenburg an der Havel (located clos to Berlin) has shut down its IT systems because of a cyber attack. In the tweet below, the press department informs about the incident.
Wie die @LH_Potsdam hat auch die Stadt #Brandenburg einen Hacker-Angriff über #Citrix festgestellt & daher betroffene Citrix-Anwendungen offline genommen. Der Großteil der Verwaltungsarbeit ist nicht betroffen, der E-Mail-Verkehr funktioniert weiterhin. https://t.co/ACV6y9T4to pic.twitter.com/BJA922OBAB
— Stadt Brandenburg an der Havel (@Stadt_BRB) January 24, 2020
The administrative work is not affected and e-mails can be received. The school secretariats, the city forest, the Kirchmöser district administration and the local job centre are affected. In these areas the system software has been temporarily taken off the network.
Also the municipal administration of Stahnsdorf offline
This German site reported, that the municipal administration of Stahnsdorf (Potsdam-Mittelmark district in Germany) also went offline as a preventive measure yesterday. For security reasons (they also use Citrix), the IT of the municipal administration had switched off the connection to the state administration network (LVN). As a result, communication with other authorities is severely restricted or not possible at all.
Citrix ADC/NetScaler as a root cause for attacks
My prophecies of doom have come true. In the article Ransomware: Are Potsdam and Gedia Shitrix victims? I proposed, the we have not seen the end of the story and that we would see more cases. In the press release of the city of Brandenburg it says now:
A critical system vulnerability has been identified in the Citrix system software used by many government agencies (CVE-2019-19781). Just as in the attack on Potsdam City Hall, a Citrix gateway for handling external system access for city administration employees to the internal employee portal was compromised in the Brandenburg city administration. Specifically, this affects the school secretariats, the city forest, the Kirchmöser district administration as well as ARGE/Jobcenter and HomeOffice accesses.
So the administrators didn’t use a workaround to secure their Shitrix vulnerability on Citrix Netscaler, which I had widely discussed here in the blog. You can read more about the Citrix vulnerability in the following articles.
Vulnerability in Citrix Apps put companies at risk
PoC for Citrix ADC/Netscaler vulnerability CVE-2019-19781
Further actions required for Citrix Netscaler vulnerability
Citrix vulnerability: New updates and scanners for testing
German Automotive Supplier Gedia Ransomware Victim
City of Potsdam (Germany) offline – IT Servers shutdown
Ransomware: Are Potsdam and Gedia Shitrix victims?