Connect with us

Hi, what are you looking for?



CitrixBleed Vulnerability Exploitation Suspected in Toyota Ransomware Attack

Toyota Financial Services has been hit by a ransomware attack that may have involved exploitation of the CitrixBleed vulnerability. 

Toyota Financial Services Europe & Africa this week confirmed being targeted in a cyberattack, which appears to have been conducted by a known ransomware group.

The Toyota subsidiary said it recently detected unauthorized activity on systems in a limited number of locations. In response, it took some systems offline and they are gradually being brought back online. 

“In most countries, we have started bringing our systems back online. We are working diligently to get systems back online as soon as possible and we regret any inconvenience caused to our customers and business partners,” the company said in a statement posted on its website. “As of now, this incident is limited to Toyota Financial Services Europe & Africa.”

The ransomware group known as Medusa and MedusaLocker has taken credit for the attack, listing Toyota Financial Services on its Tor-based leak website and threatening to distribute stolen data unless an $8 million ransom is paid within 10 days.  

Screenshots and a file tree made public by the cybercriminals to demonstrate their claims indicate that the information was stolen from Toyota Financial Services systems in Germany. 

The screenshots posted by the hackers on their website show that various types of corporate documents, spreadsheets containing personal information, and passport copies have been obtained. 

It’s possible that the Medusa group hacked the company by exploiting a recent Citrix NetScaler vulnerability tracked as CVE-2023-4966 and named CitrixBleed (Citrix Bleed). 

Cybersecurity researcher Kevin Beaumont pointed out that Toyota Financial Services recently had a Citrix Gateway system located in Germany that was exposed to the internet and likely vulnerable to CitrixBleed attacks. 

The CitrixBleed vulnerability has been widely exploited by threat actors, including in many ransomware attacks. 

Advertisement. Scroll to continue reading.

According to Beaumont, the LockBit ransomware group has exploited the flaw to access the systems of government organizations, law firms and banks. The cybercrime gang has taken credit for the recent attack on China’s biggest bank, which also had a vulnerable Citrix system exposed to the web.

The researcher has also identified internet-exposed and unpatched Citrix devices belonging to Boeing and Australian shipping company DP World, both of which were recently targeted. 

Related: Vulnerability in Toyota Management Platform Provided Access to Customer Data

Related: Toyota: Data on More Than 2 Million Vehicles in Japan Were at Risk in Decade-Long Breach

Related: Vulnerability Provided Access to Toyota Supplier Management Network

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.