Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

3/28/2014
12:45 PM
100%
0%

Hackers Cash In On ATMs

Malware uses text messages and other techniques to infect ATMs and ultimately allow criminals to steal cash.

A text message is sent, and cash starts spitting out of an ATM infected with malware.

That is one of the capabilities of a sophisticated variant of malware known as Ploutus that has been linked to attacks in Mexico and the Ukraine. In the process, it has become another example of how hackers are turning their attention to ATM machines as another avenue to a bank's coffers.

"I've heard some people saying, 'Well, you know you need physical access to the machine and that makes it more difficult,' " says Symantec researcher Liam O Murchu. "And that is true, but the reason we are reporting on this is because this is something we've seen being used… So even though it may seem like, "Well, you need physical access to the machine so it's not really going to happen,' it is happening, and we're seeing people arrested in Mexico, and we're seeing it being used elsewhere."

Symantec's recent report on the capabilities of the Ploutus malware served to underscore the issue, but also drew some critics who highlighted the difficulties of getting away with opening up a machine and inserting a mobile phone, USB stick, or anything else. Yet that is precisely what researchers at the Chaos Communications Conference in December said they uncovered in the wild: attackers uploading malware onto ATMs by vandalizing machines and inserting USB sticks. They then covered up the hole so they could remain undetected.

"When I hear about a successful malware attack on any ATM, I am not particularly interested in the features which the malware implements, such as its user interface, what data it captures, how it manages the 'casher' mules, and so on," says Henry Schwarz, software projects director at ATM manufacturer Triton. "The central issue is how the malware made its way onto the ATM in the first place -- that is the attack vector which must be addressed. Once malware is running on an ATM, the damage is done."

According to Schwarz, Triton takes various precautions to prevent malware infections. For example, Triton's ATMs now verify software has been digitally signed by Triton using its private key. If the digital signature is incorrect, the ATM does not accept the software.

"The most common vulnerabilities are those that arise almost directly from making maintaining ATMs easy for technicians in the field," explains Mike Park, managing consultant at Trustwave. "These include easy-to-pick locks, the ability to bypass locks, ATM operating systems running as 'administrator' without a password, and USB ports both enabled and in the boot order before the hard drive. Many lack hard drive encryption or any form of endpoint security. Anti-virus, for instance, can bog a machine down such that transactions take far too long to complete.

"By far our most successful and easiest attacks are to gain access to the ATM network and manipulate ATM requests and responses, allowing us to gain access to the cash in the ATM without having to actually touch the machine, except to initiate a legitimate transaction."

Some of the company's most successful attacks during penetration tests do not require physical access to the device and are agnostic to the operating system, Park tells us. Network-based attacks have proven repeatedly to be both easy to exploit and lucrative, and at times testers have been able to hide the fact that the ATM was compromised from a central management application.

Based on the company's penetration tests, ATM manufacturers and banks should take measures such as adding a BIOS password, encrypting the hard drive, and installing host intrusion detection systems, Park says. In addition, armoring application binaries against reverse engineering and using endpoint security solutions can help as well.

"The biggest issue however is that implementing many of these security measures make ATM technical maintenance much more difficult, time consuming, and expensive," says Park. "Technicians will need a large ring of keys -- will need to know BIOS password and admin passwords when doing routine or emergency maintenance."

Telling ATM owners to pay more attention to physical device security in the form of cameras and other methods as opposed to upgrading devices is a losing proposition, opines Craig Young, security researcher at Tripwire.

"ATMs are networked devices which can potentially be attacked without direct physical access to the system," he says. "Migrating from [Windows] XP embedded is really the ideal solution as newer operating systems will not only benefit from ongoing security updates but also from security enhancements integrated into newer operating systems."

Support for the Windows XP embedded products varies depending on the version of the product, according to a timeline set out by Microsoft.

"From a technical standpoint, organizations not in a position to upgrade ATMs from Windows XP do have some options for system hardening," notes Young. "As a starting point, USB ports should be locked down as much as possible. This could be a physical solution such as an additional locking mechanism over the USB port or a technical solution such as disabling USB ports within software."

Attacks against ATMs are on everyone's radar, says Troy Leach, chief technology officer at PCI Security Standards Council. 

"According to findings from the ATM Industry Association’s 2012 ATM Global fraud survey, skimming remains the top global threat to ATMs, with different kinds of brute force attacks continuing unabated," he tells Dark Reading. "PIN and account data present in ATMs has become a growing target for criminals who use this stolen information to produce counterfeit cards for fraudulent transactions, primarily ATM cash withdrawals."

Brian Prince is a freelance writer for a number of IT security-focused publications. Prior to becoming a freelance reporter, he worked at eWEEK for five years covering not only security, but also a variety of other subjects in the tech industry. Before that, he worked as a ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
3/28/2014 | 4:38:37 PM
Root Default of ATM
I have read a few reports about Ploutus and yes it poses a very large risk, but I think the risk lies in the machines architecture and not too much in the "malware" being transferred via the device, USB, phone, etc.

Correct me if I am mistaken but it seems that these machines are in an administrative state for routine/emergency maintenance and its only the physical barrier that truly denies access to the kingdom. But as knights circumvent a moat, people have gotten past this safeguard and are tasking the machine with minimal intrusion.

One comment I saw on a forum regarding Ploutus, though cynical, carried some truth. You can't leave a machine in root status and expect it not to perform root tasks. 

As delineated in your article, banks are now undergoing expensive counter procedures to smooth out this issue. But that is more of a reactive approach and therefore a huge security flaw. It needs to be realized that security is most effective when handled pre-emptively. For whatever reason, these machines were left in a vulnerable state with only a thin physical layer to keep people out. What are other peoples thoughts regarding the ATM "hacks"?

 
securityaffairs
50%
50%
securityaffairs,
User Rank: Ninja
3/30/2014 | 2:16:13 PM
Re: Root Default of ATM
Ryan raises an interesting issues, the security level for many ATM is not acceptable.

Banks cannot think to continue to use phase out OSs like XP while cyber threats are even more sophisticated.

Physical protection is another serious problem, why are we surprised if the computers behind ATM is easily accessible? I'm not surprised by news regarding similar hacks ... the problem is elsewhere.

Why Does BIOS of the ATM machines allow booting from external and unauthorized media (e.g. CD ROMs , USB sticks)?

What's about disk encryption to prevent disk tampering?

This hack is the result of many errors!

This is not security

Thanks

Pierluigi
Randy Naramore
50%
50%
Randy Naramore,
User Rank: Ninja
3/31/2014 | 11:47:11 AM
Re: Root Default of ATM
You would think that a more robust and updated OS would be used instead for ATMs of XP. XP was a great desktop system but with support being phased out and other options being available such as a locked down version of linux (take your pick) the ATMs would be less susceptable to some of the attacks than windows would be. Just a thought..
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
3/31/2014 | 5:47:36 PM
Re: Root Default of ATM
Randy, 

You bring up a good point. How come ATM's aren't secured Linux shops? I would imagine that it would be more secure and cost effective. Not to say that Linux is a cure all, just I know it has a large percentage of effective security tools and safeguards. Is it the level of support? I don't know how thorough that component would be. If someone could, please clue me in on why this hasn't come to pass?
CartaR828
0%
100%
CartaR828,
User Rank: Strategist
1/5/2017 | 3:46:07 PM
How i got my Blank ATM card
I got my already programmed and blanked ATM card to
withdraw the maximum of $5,000 daily for a maximum of 20
days. I am so happy about this because i got mine last week
and I have used it to get $150,000. Georg Bednorz Hackers is giving
out the card just to help the poor and needy though it is illegal but it
is something nice and he is not like other scam pretending
to have the blank ATM cards. And no one gets caught when
using the card. get yours from Georg Bednorz Hackers today! Just send an email
to [email protected] or call him via telephone +19143614629
CartaR828
0%
100%
CartaR828,
User Rank: Strategist
2/5/2017 | 7:10:37 AM
Blank Atm Card
I got my already programmed and blanked ATM card to
withdraw the maximum of $5,000 daily for a maximum of 20
days. I am so happy about this because i got mine last week
and I have used it to get $150,000. Georg Bednorz Hackers is giving
out the card just to help the poor and needy though it is illegal but it
is something nice and he is not like other scam pretending
to have the blank ATM cards. And no one gets caught when
using the card. get yours from Georg Bednorz Hackers today! Just send an email
to [email protected]
CartaR828
0%
100%
CartaR828,
User Rank: Strategist
3/15/2017 | 1:49:38 PM
Blank Atm Card
I got my already programmed and blanked ATM card to
withdraw the maximum of $50,000 MONTHLY for a maximum of 12 MONTHS. I am so happy about this because i got mine last week
and I have used it to get $150,000 already. Georg Bednorz Hackers is giving
out the card just to help the poor and needy though it is illegal but it
is something nice and he is not like other scam pretending
to have the blank ATM cards. And no one gets caught when
using the card. get yours from Georg Bednorz Hackers today! Just send an email
to [email protected] or send him a text message +19143614629
CartaR828
0%
100%
CartaR828,
User Rank: Strategist
3/25/2017 | 3:30:31 AM
Blank Atm Card
I got my already programmed and blanked ATM card to
withdraw the maximum of $50,000 MONTHLY for a maximum of 12 MONTHS. I am so happy about this because i got mine last week
and I have used it to get $150,000 already. Georg Bednorz Hackers is giving
out the card just to help the poor and needy though it is illegal but it
is something nice and he is not like other scam pretending
to have the blank ATM cards. And no one gets caught when
using the card. get yours from Georg Bednorz Hackers today! Just send an email
to [email protected]
CartaR828
0%
100%
CartaR828,
User Rank: Strategist
4/3/2017 | 10:05:32 AM
Blank Atm Card
I got my already programmed and blanked ATM card to
withdraw the maximum of $50,000 MONTHLY for a maximum of 12 MONTHS. I am so happy about this because i got mine last week
and I have used it to get $150,000 already. Georg Bednorz Hackers is giving
out the card just to help the poor and needy though it is illegal but it
is something nice and he is not like other scam pretending
to have the blank ATM cards. And no one gets caught when
using the card. get yours from Georg Bednorz Hackers today! Just send an email
to [email protected]
CartaR828
0%
100%
CartaR828,
User Rank: Strategist
5/26/2017 | 9:49:04 AM
Blank ATM card
I got my already programmed and blanked ATM card to
withdraw the maximum of $50,000 MONTHLY for a maximum of 12 MONTHS. I am so happy about this because i got mine last week
and I have used it to get $150,000 already. Georg Bednorz Hackers is giving
out the card just to help the poor and needy though it is illegal but it
is something nice and he is not like other scam pretending
to have the blank ATM cards. And no one gets caught when
using the card. get yours from Georg Bednorz Hackers today! Just send an email
to [email protected]
CartaR828
0%
100%
CartaR828,
User Rank: Strategist
6/3/2017 | 9:27:55 AM
Blank atm card
I got my already programmed and blanked ATM card to
withdraw the maximum of $50,000 MONTHLY for a maximum of 12 MONTHS. I am so happy about this because i got mine last week
and I have used it to get $150,000 already. Georg Bednorz Hackers is giving
out the card just to help the poor and needy though it is illegal but it
is something nice and he is not like other scam pretending
to have the blank ATM cards. And no one gets caught when
using the card. get yours from Georg Bednorz Hackers today! Just send an email
to [email protected]
CartaR828
67%
33%
CartaR828,
User Rank: Strategist
6/6/2017 | 7:03:07 AM
Blank atm card
I got my already programmed and blanked ATM card to
withdraw the maximum of $50,000 MONTHLY for a maximum of 12 MONTHS. I am so happy about this because i got mine last week
and I have used it to get $150,000 already. Georg Bednorz Hackers is giving
out the card just to help the poor and needy though it is illegal but it
is something nice and he is not like other scam pretending
to have the blank ATM cards. And no one gets caught when
using the card. get yours from Georg Bednorz Hackers today! Just send an email
to [email protected]
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
'BootHole' Vulnerability Exposes Secure Boot Devices to Attack
Kelly Sheridan, Staff Editor, Dark Reading,  7/29/2020
Out-of-Date and Unsupported Cloud Workloads Continue as a Common Weakness
Robert Lemos, Contributing Writer,  7/28/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-4560
PUBLISHED: 2020-08-03
IBM Financial Transaction Manager 3.2.4 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
CVE-2019-4589
PUBLISHED: 2020-08-03
IBM Cognos Analytics 11.0 and 11.1 is vulnerable to privlege escalation where the "My schedules and subscriptions" page is visible and accessible to a less privileged user. IBM X-Force ID: 167449.
CVE-2020-4328
PUBLISHED: 2020-08-03
IBM Financial Transaction Manager 3.2.4 is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database. IBM X-Force ID: 177839.
CVE-2020-4377
PUBLISHED: 2020-08-03
IBM Cognos Anaytics 11.0 and 11.1 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 179156.
CVE-2020-4534
PUBLISHED: 2020-08-03
IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 could allow a local authenticated attacker to gain elevated privileges on the system, caused by improper handling of UNC paths. By scheduling a task with a specially-crafted UNC path, an attacker could exploit this vulnerability to execute arbi...