Toyota Financial Services Europe & Africa has confirmed that it was recently targeted in a cyberattack, which seems to have been carried out by the ransomware group identified as Medusa and MedusaLocker. The company detected unauthorized activity on its systems in specific locations and, as a countermeasure, took some of these systems offline. They are now being progressively restored. In a company statement, the firm expressed, “In most countries, we have started bringing our systems back online. We are working diligently to get systems back online as soon as possible and we regret any inconvenience caused to our customers and business partners.” The statement further clarified that the impact of this incident is currently confined to Toyota Financial Services Europe & Africa.
The Medusa group has claimed responsibility for the attack, listing Toyota Financial Services on its Tor-based leak website. The group threatened to release the stolen data unless a ransom of $8 million is paid within a 10-day period. To substantiate their claims, the hackers have made public screenshots and a file tree, indicating that the stolen information originated from Toyota Financial Services systems in Germany. The hackers' website displays various corporate documents, spreadsheets with personal information, and copies of passports that have been obtained.
It is speculated that the Medusa group may have hacked into the company's systems by exploiting a recent vulnerability in the Citrix NetScaler, identified as CVE-2023-4966 and named CitrixBleed. Cybersecurity researcher Kevin Beaumont noted that Toyota Financial Services had a Citrix Gateway system in Germany that was exposed to the internet and likely susceptible to CitrixBleed attacks. The CitrixBleed vulnerability is known to have been widely exploited by threat actors in several ransomware attacks. Beaumont highlighted that the LockBit ransomware group has used this flaw to infiltrate the systems of government organizations, law firms, and banks, including China's largest bank, which also had a vulnerable Citrix system exposed on the internet. Beaumont also identified internet-exposed and unpatched Citrix devices belonging to Boeing and Australian shipping company DP World, both of which were recently targeted.