Toyota Ransomware Attack Likely Exploited CitrixBleed Vulnerability

November 17, 2023

Toyota Financial Services Europe & Africa has confirmed that it was recently targeted in a cyberattack, which seems to have been carried out by the ransomware group identified as Medusa and MedusaLocker. The company detected unauthorized activity on its systems in specific locations and, as a countermeasure, took some of these systems offline. They are now being progressively restored. In a company statement, the firm expressed, “In most countries, we have started bringing our systems back online. We are working diligently to get systems back online as soon as possible and we regret any inconvenience caused to our customers and business partners.” The statement further clarified that the impact of this incident is currently confined to Toyota Financial Services Europe & Africa.

The Medusa group has claimed responsibility for the attack, listing Toyota Financial Services on its Tor-based leak website. The group threatened to release the stolen data unless a ransom of $8 million is paid within a 10-day period. To substantiate their claims, the hackers have made public screenshots and a file tree, indicating that the stolen information originated from Toyota Financial Services systems in Germany. The hackers' website displays various corporate documents, spreadsheets with personal information, and copies of passports that have been obtained.

It is speculated that the Medusa group may have hacked into the company's systems by exploiting a recent vulnerability in the Citrix NetScaler, identified as CVE-2023-4966 and named CitrixBleed. Cybersecurity researcher Kevin Beaumont noted that Toyota Financial Services had a Citrix Gateway system in Germany that was exposed to the internet and likely susceptible to CitrixBleed attacks. The CitrixBleed vulnerability is known to have been widely exploited by threat actors in several ransomware attacks. Beaumont highlighted that the LockBit ransomware group has used this flaw to infiltrate the systems of government organizations, law firms, and banks, including China's largest bank, which also had a vulnerable Citrix system exposed on the internet. Beaumont also identified internet-exposed and unpatched Citrix devices belonging to Boeing and Australian shipping company DP World, both of which were recently targeted.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.