Toyota Financial Services targeted by Medusa Locker

Toyota Financial Services Europe & Africa has confirmed being targeted in a cyberattack, and the attack credited to Medusalocker group.

Toyota Financial services said it recently detected unauthorized activity on systems in a limited number of locations, and it took systems offline, and they are gradually being brought back online.

MedusaLocker has taken credit for the attack, listing Toyota Financial Services on its Tor-based leak website and threatening to distribute stolen data unless an $8 million ransom is paid within 10 days.

The screenshots posted by the hackers on their website show that various types of corporate documents, spreadsheets containing personal information, and passport copies have been obtained.

It’s possible that the Medusa group hacked the company by exploiting a recent Citrix NetScaler vulnerability tracked as CVE-2023-4966 and named CitrixBleed.

Cybersecurity researcher Kevin Beaumont pointed out that Toyota Financial Services recently had a Citrix Gateway system located in Germany that was exposed to the internet and likely vulnerable to CitrixBleed attacks.

The CitrixBleed vulnerability has been widely exploited by threat actors, including in many ransomware attacks.

The researcher has also identified internet-exposed and unpatched Citrix devices belonging to Boeing and Australian shipping company DP World, both of which were recently targeted.