Toyota Financial Services Europe & Africa this week confirmed being targeted in a cyberattack, which appears to have been conducted by a known ransomware group.
The Toyota subsidiary said it recently detected unauthorized activity on systems in a limited number of locations. In response, it took some systems offline and they are gradually being brought back online.
“In most countries, we have started bringing our systems back online. We are working diligently to get systems back online as soon as possible and we regret any inconvenience caused to our customers and business partners,” the company said in a statement posted on its website. “As of now, this incident is limited to Toyota Financial Services Europe & Africa.”
The ransomware group known as Medusa and MedusaLocker has taken credit for the attack, listing Toyota Financial Services on its Tor-based leak website and threatening to distribute stolen data unless an $8 million ransom is paid within 10 days.
Screenshots and a file tree made public by the cybercriminals to demonstrate their claims indicate that the information was stolen from Toyota Financial Services systems in Germany.
The screenshots posted by the hackers on their website show that various types of corporate documents, spreadsheets containing personal information, and passport copies have been obtained.
It’s possible that the Medusa group hacked the company by exploiting a recent Citrix NetScaler vulnerability tracked as CVE-2023-4966 and named CitrixBleed (Citrix Bleed).
Cybersecurity researcher Kevin Beaumont pointed out that Toyota Financial Services recently had a Citrix Gateway system located in Germany that was exposed to the internet and likely vulnerable to CitrixBleed attacks.
The CitrixBleed vulnerability has been widely exploited by threat actors, including in many ransomware attacks.
According to Beaumont, the LockBit ransomware group has exploited the flaw to access the systems of government organizations, law firms and banks. The cybercrime gang has taken credit for the recent attack on China’s biggest bank, which also had a vulnerable Citrix system exposed to the web.
The researcher has also identified internet-exposed and unpatched Citrix devices belonging to Boeing and Australian shipping company DP World, both of which were recently targeted.
Related: Vulnerability in Toyota Management Platform Provided Access to Customer Data
Related: Toyota: Data on More Than 2 Million Vehicles in Japan Were at Risk in Decade-Long Breach
Related: Vulnerability Provided Access to Toyota Supplier Management Network