Toyota Financial Services (TFS) announced that unauthorised access was detected on some of its systems in Europe and Africa after the Medusa ransomware claimed responsibility for the attack.
Toyota Financial Services, a subsidiary of Toyota Motor Corporation, is a global entity that provides auto financing to customers in 90% of the markets where Toyota sells its vehicles.
The Medusa ransomware gang added TFS to its data leak site on the dark web earlier this week, demanding $8,000,000 to delete data allegedly stolen from the Japanese company.
Toyota was given ten days by the threat actors to respond, with the option to extend for an additional $10,000 per day.
Toyota Finance did not confirm whether data was taken in the attack, but the threat actors say they have files exfiltrated and threaten to release data if the ransom is not paid.
The hackers published sample data, such as spreadsheets, purchase invoices, agreements, passport scans, financial performance reports, internal organisation charts, hashed account passwords, cleartext user IDs and passwords, and more, as proof of the intrusion.
The file tree structure of all the data that Medusa claims to have taken from Toyota's systems is also included in a.TXT file that they supply.
The majority of the documents are written in German, suggesting that the hackers were able to gain access to the systems supporting Toyota's activities in Central Europe.
The Japanese automaker was contacted by BleepingComputer for a comment regarding the leaked data, and a company representative gave the following statement:
“Toyota Financial Services Europe & Africa recently identified unauthorized activity on systems in a limited number of its locations. We took certain systems offline to investigate this activity and to reduce risk and have also begun working with law enforcement. As of now, this incident is limited to Toyota Financial Services Europe & Africa.”
The spokesperson informed us that most countries are currently in the process of bringing their systems back online. This information pertains to the status of the affected systems and when they are expected to resume regular operations.
One more breach of Citrix Bleed?
Security analyst Kevin Beaumont brought attention to the fact that the company's German office had an internet-exposed Citrix Gateway endpoint that had not been updated since August 2023, making it susceptible to the critical Citrix Bleed (CVE-2023-4966) security vulnerability earlier today, in response to Medusa's revelation that TFS was their victim.
It was confirmed a few days ago that the hackers behind the Lockbit ransomware were breaching the Industrial and Commercial Bank of China (ICBC), DP World, Allen & Overy, and Boeing by means of publicly accessible Citrix Bleed exploits.
It's likely that added ransomware groups have begun to utilise Citrix Bleed, capitalising on the extensive attack surface that is believed to encompass thousands of endpoints.