Cyber attack forces Toyota Financial Services systems offline

Car maker Toyota is recovering from a cyber attack on its European and African financial services department that forced it to take systems offline. In a statement, Toyota Financial Services Europe and Africa said it recently identified unauthorized activity on systems in a limited number of its locations before taking certain systems offline to investigate.

While the car giant has not confirmed the source, nature or extent of the incident, the Medusa ransomware group has claimed responsibility. It said it has stolen data from Toyota Financial Services, giving the company 10 days to pay a US $8 million ransom.

Cyber security expert Kevin Beaumont noted on X (formerly Twitter) that Toyota’s internet-accessible systems are vulnerable to the “Citrix Bleed” vulnerability that has affected dozens of organizations and governments in the last month. Citrix Bleed (CVE-2023-4966) is a critical vulnerability affecting multiple versions of Citrix Netscaler Gateway and ADC products that could enable attackers to retrieve sensitive information and hijack user sessions.

Toyota breach limited to European and African financial services

Along with carrying out its own investigation into the incident, Toyota is working with law enforcement, the firm said. “In most countries, we have started bringing our systems back online. We are working diligently to get systems back online as soon as possible and we regret any inconvenience caused to our customers and business partners.” As of now, this incident is limited to Toyota Financial Services Europe and Africa, it added.

Earlier this year, Toyota was forced to apologize after a cloud misconfiguration exposed information on more than two million customers. “We believe that the main cause of this incident was that the rules for handling data were insufficiently explained and thorough,” the firm said.

What is Medusa ransomware?

The Medusa group is a ransomware-as-a-service (RaaS) gang that has operated since 2021. The actors normally gain access to systems through vulnerable remote desktop protocols (RDP) and phishing campaigns before employing PowerShell for command execution, erasing shadow copy backups to prevent data restoration. It is also known to escalate its system privileges, deactivate defense mechanisms and spread across networks.

The Medusa group recently attacked a technology company created by two of Canada’s largest banks. Earlier this year, the gang was behind attacks on an Italian water company, a Minnesota school district and the government organization that manages the healthcare system of the Philippines.

Sign up to Cyber Security Hub’s upcoming webinar All Access: Malware and Ransomware

[Inlinead]