Ransomware attack

Toyota (TFS) Targeted by Medusa Ransomware – Suspected Citrix Bleed Vulnerability

Toyota Financial Services (TFS), the automobile supplying and financing subsidiary of the Japanese carmaker, experienced a disruptive cyberattack. The Medusa ransomware group, taking responsibility, employed the Citrix Bleed Vulnerability in executing the attack.

Toyota Financial Services (TFS), a division of Toyota Motor Corporation, works in 90% of Toyota’s global markets. It specialises in vehicle finance and provides smooth financial solutions to customers all around the world.

Toyota acted quickly by temporarily stopping the impacted systems, even though it confirmed detecting unauthorised activity on systems at specific locations. A staged strategy is now being implemented to carefully restore these systems to get a safe and efficient solution.

According to a statement on the company’s website:

In most countries, we have started bringing our systems back online. We are working diligently to get systems back online as soon as possible and we regret any inconvenience caused to our customers and business partners. As of now, this incident is limited to Toyota Financial Services Europe & Africa.

Medusa and MedusaLocker ransomware groups have claimed responsibility for the cyberattack. They have targeted Toyota Financial Services, showing their activities on a Tor-based leak site. The organisation has issued an urgent demand, pay a $8 million ransom within the next two days, or they would release the stolen information.

Medusa Tor Site Highlights Toyota Financial Services and $8M Demand
Medusa Tor Site Highlights Toyota Financial Services and $8M Demand (Phishing Tackle)

As proof for their claims, the attackers have released a file tree and screenshots. These documents show that the data was taken from Toyota Financial Services’ German computer networks.

Medusa ransomware group released a Toyota leaked file tree
Medusa ransomware group released a Toyota leaked file tree (Phishing Tackle)

The hackers have released a set of sample data that includes financial documents, spreadsheets, purchase invoices, hashed account passwords, user IDs and passwords in clear text, agreements, passport scans, internal organisation charts, financial performance reports, staff email addresses, and other information.

Medusa has also provided a .TXT file that details the file tree structure of the data allegedly stolen from Toyota’s systems. Most of these records are in German, confirming an incursion into networks enabling Toyota’s activities in Central Europe. It appears that this attack gave the hackers access to sensitive information.

Citrix Bleed Breach and Toyota’s Security Risks

It’s possible that the Medusa group breached into the organisation by taking advantage of a recent Citrix NetScaler vulnerability. CVE-2023-4966, often known as Citrix Bleed, is the name of this vulnerability.

Lockbit ransomware attackers confirmed their use of publicly available exploits for Citrix vulnerabilities. Use of these attacks resulted in breaches of major companies, including as Boeing, DP World, Allen & Overy, Industrial and Commercial Bank of China (ICBC), and others.

The company issued an apology in 2022 following the discovery of a possible data breach that involved its source code being publicly accessible on GitHub for more than three years.

A cyber incident that occurred in March 2023 temporarily shut down several Japanese factories. This incident caused severe disruption in the manufacture of roughly 13,000 automobiles.

Toyota Connected Corporation (TC) suffered a large consumer data breach in May 2023, affecting various countries in Oceania and Asia. This unexpected event has prompted further worries about the security of client data under TC’s supervision.

Toyota Financial Services is in a critical position of a cyberattack. As part of a global automobile giant based in Japan, it produces around 10 million cars annually. This security breech presents a serious risk to the company’s financial operations and may have serious consequences.

Meanwhile, the automotive sector faces challenges. Another significant competitor in the market falls victim to a highly competent cyberattack amid persistent cybersecurity problems. Toyota is currently suffering the same awful destiny as well-known competitors like Daimler, BMW, and Audi, all of which are fighting the ever-changing risks caused by attackers.

Phishing Tackle offers a free 14-day trial to help train your users to avoid these types of attacks and test their knowledge with simulated attacks using various attack vectors. By focusing on training your users to spot these types of attacks, rather than relying solely on technology, you can ensure that your organisation is better prepared to defend against cyber threats and minimise the impact of any successful attacks.

Recent posts