Attacks/Breaches

1/29/2018
06:30 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Thieves Target ATMs In First US 'Jackpotting' Attacks

Attackers have been getting ATMs to illegally dispense cash by tampering with their internal electronics, US Secret Service warns.

Diebold Nixdorf and NCR, two of the world's largest ATM vendors, are warning their US customers about recent so-called jackpotting attacks where cybercriminals force terminals to illegally dispense large amounts of cash by tampering with their internal electronics.

In its customer alert, Diebold Nixdorf said that US Secret Service had informed the company on  Jan. 26 about jackpotting attacks moving from Mexico to the US for the first time. The attack that the Secret Service memo described was the same as one that Diebold Nixdorf had warned customers about in November 2017, said the alert, which the company made available to Dark Reading.

According to the ATM maker, attackers are removing the top hat of its Opteva front-load ATM terminals and replacing original hard disks with previously prepared replacement disks that contain an unauthorized image of the ATM's software.

In order to pair the new disk with the terminal, the attackers have to first reset its communications — a multi-step process that requires them to press and hold a button inside the ATM's locked safe. CCTV footage of the attacks shows the criminals using an industrial endoscope to look inside the safe so they can locate the button and then use an extension to press it down till the pairing is complete.

All Diebold Nixdorf front-load Advanced Function Dispenser (AFD)-based Opteva ATMs are vulnerable to the attack. Rear-load Opteva models are also vulnerable, but would be extremely difficult to attack using the current approach, the company said.

The attack circumvents the ATMs' physical security and authorization features to allow dispensers to be paired with rogue hard drives, the vendor said. "As the ATMs that are currently being targeted are older, legacy Diebold units, it's important to remind financial institutions to keep their security up to date," the company said in a statement.

In an emailed comment, NCR said it, too, had alerted customers of its ATM machines about the jackpotting attacks and offered guidance on how to protect against them. Though the attacks have targeted non-NCR systems so far, they represent the first logical attacks against ATMs in the US and therefore should be taken seriously by everyone.

In a January 26 press statement, the US Secret Service described the attacks as mainly targeting stand-alone ATMs of the sort routinely found in pharmacies, big box retailers, and drive-through locations. "Criminals range from individual suspects to large organized groups, from local criminals to international organized crime syndicates," the Secret Service statement said.

KrebsOnSecurity, which was first to report on the new attacks, said the thieves behind it appear to be using a new version of a jackpotting malware tool called Ploutus.D to steal money from cash dispensers. The blog quoted an unnamed source at the Secret Service saying that the crooks behind the jackpotting campaign have begun sending out so-called "cash out crews" to attack and compromise front-loading Diebold machines.

Once a terminal has been paired with a rogue hard drive, members of the crew contact co-conspirators who then take remote control of the ATM and force it to dispense cash. In previous attacks involving Ploutus-D, attackers have been able to force compromised ATMs to spit out up to 40 currency bills every 23 seconds, Krebs on Security said.

Attacks targeting ATMs are not new. As far back as 2010, a researcher with IOActive demonstrated how attackers could compromise ATMs and force them to dispense wads of cash. In 2016, a suspected Russian operation stole more than $2 million from ATMs, likely using just their smartphones.

Hands-On Hack

Leigh-Anne Galloway, cybersecurity resilience lead at Positive Technologies, says what makes the jackpotting attacks interesting is the level of access criminals need to pull it off. "What is strange in this scenario is the level of physical access obtained by the attackers," she says. "The only real benefit of this may be from infecting further machines without the bank becoming aware."

But even then, compromised ATMs would display an out-of-service notification, she says.

Attackers can steal money from ATMs using less complicated methods than jackpotting, she notes. "There are actually remote attacks that don't rely on physical access to the inside of the ATM, and travel via infection of a bank's core network," she says.  

Modems used for communications can also have vulnerabilities. "If the ATM is connected to the network via a modem, it is possible to find vulnerabilities in modems, which would allow an attacker to gain access," Galloway says.

For ATM operators, the attacks highlight the need for proper risk management, says Alan Brill, senior managing director, cybersecurity and investigations for Kroll. "The reports of the incidents suggest that certain older stand-alone ATMs are being targeted," he says. "Successful attacks require access to the ATM to [install] the malware and in at least some cases, a button had to be pushed, for which the bad guys used an endoscope."

Endoscopes fully equipped with lights and tools that could be used to press a button in the innards of an ATM are available on many sites for under $20, Brill says.

There are a few common-sense ways of managing the risk of jackpotting attacks, he notes. Unexpected visits by ATM technicians, for instance, should be a red flag. Stand-alone ATMs should be in a location that is visible to employees and covered by a security camera. Tamper-evident tape can be used to close off openings that would allow an attacker to insert an endoscope into a terminal.

ATM owners should also always know who to contact when there's a problem, and to authenticate the person whom they are calling.

When taking precautious against threats like jackpotting, it's also best to implement security against other threats as well, such as skimming."There’s an overlap in security so that protecting against one form of attack can help mitigate the risk of multiple forms of attack," Brill notes.

Related Content:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
1/30/2018 | 1:46:10 PM
Update: Suspects apprehended
Update... According to Brian Krebs today, the suspects were allegedly caught after (1) getting themselves pulled over, which lead to (2) police smelling marijuana in their car, leading to a search that, in addition to marijuana, yielded discovery of (3) "several backpacks full of cash".

How can people be so smart and so stupid?
Weaponizing IPv6 to Bypass IPv4 Security
John Anderson, Principal Security Consultant, Trustwave Spiderlabs,  6/12/2018
'Shift Left' & the Connected Car
Rohit Sethi, COO of Security Compass,  6/12/2018
Why CISOs Need a Security Reality Check
Joel Fulton, Chief Information Security Officer for Splunk,  6/13/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-10617
PUBLISHED: 2018-06-18
Delta Electronics Delta Industrial Automation DOPSoft version 4.00.04 and prior utilizes a fixed-length heap buffer where a value larger than the buffer can be read from a .dpa file into the buffer, causing the buffer to be overwritten. This may allow remote code execution or cause the application t...
CVE-2018-10621
PUBLISHED: 2018-06-18
Delta Electronics Delta Industrial Automation DOPSoft version 4.00.04 and prior utilizes a fixed-length stack buffer where a value larger than the buffer can be read from a .dpa file into the buffer, causing the buffer to be overwritten. This may allow remote code execution or cause the application ...
CVE-2018-10623
PUBLISHED: 2018-06-18
Delta Electronics Delta Industrial Automation DOPSoft version 4.00.04 and prior performs read operations on a memory buffer where the position can be determined by a value read from a .dpa file. This may cause improper restriction of operations within the bounds of the memory buffer, allow remote co...
CVE-2015-4664
PUBLISHED: 2018-06-18
An improper input validation vulnerability in CA Privileged Access Manager 2.4.4.4 and earlier allows remote attackers to execute arbitrary commands.
CVE-2018-9021
PUBLISHED: 2018-06-18
An authentication bypass vulnerability in CA Privileged Access Manager 2.8.2 and earlier allows remote attackers to execute arbitrary commands with specially crafted requests.