Toyota Ransomware Attack Likely Exploited CitrixBleed Vulnerability

November 17, 2023

Toyota Financial Services Europe & Africa has confirmed that it was recently targeted in a cyberattack, which seems to have been carried out by the ransomware group identified as Medusa and MedusaLocker. The company detected unauthorized activity on its systems in specific locations and, as a countermeasure, took some of these systems offline. They are now being progressively restored. In a company statement, the firm expressed, “In most countries, we have started bringing our systems back online. We are working diligently to get systems back online as soon as possible and we regret any inconvenience caused to our customers and business partners.” The statement further clarified that the impact of this incident is currently confined to Toyota Financial Services Europe & Africa.

The Medusa group has claimed responsibility for the attack, listing Toyota Financial Services on its Tor-based leak website. The group threatened to release the stolen data unless a ransom of $8 million is paid within a 10-day period. To substantiate their claims, the hackers have made public screenshots and a file tree, indicating that the stolen information originated from Toyota Financial Services systems in Germany. The hackers' website displays various corporate documents, spreadsheets with personal information, and copies of passports that have been obtained.

It is speculated that the Medusa group may have hacked into the company's systems by exploiting a recent vulnerability in the Citrix NetScaler, identified as CVE-2023-4966 and named CitrixBleed. Cybersecurity researcher Kevin Beaumont noted that Toyota Financial Services had a Citrix Gateway system in Germany that was exposed to the internet and likely susceptible to CitrixBleed attacks. The CitrixBleed vulnerability is known to have been widely exploited by threat actors in several ransomware attacks. Beaumont highlighted that the LockBit ransomware group has used this flaw to infiltrate the systems of government organizations, law firms, and banks, including China's largest bank, which also had a vulnerable Citrix system exposed on the internet. Beaumont also identified internet-exposed and unpatched Citrix devices belonging to Boeing and Australian shipping company DP World, both of which were recently targeted.

Related News

• LockBit Ransomware Group Leaks Boeing's Data After Ransom Refusal
• Citrix Urges Immediate Patching of NetScaler CVE-2023-4966 Vulnerability Amid Ongoing Attacks
• Citrix NetScaler Vulnerability Exploited as Zero-Day since August
• Critical Vulnerability Detected in Citrix NetScaler Devices Could Expose Sensitive Information

Latest News

• Yamaha Motor Philippines Hit by Ransomware Attack: Employee Data Leaked
• CISA Issues Warning over Exploitation of Sophos Web Appliance Vulnerability
• Critical OS Command Injection Vulnerability Discovered in Fortinet's FortiSIEM
• Stealthy EDR Bypass Enabled by Dangerous Apache ActiveMQ Exploit
• Global Government Data Breaches: Multiple APTs Exploit Zimbra Zero-Day