Post on 23-Apr-2021
© Copyright GMV 2018
All rights reserved
ATM JACKPOTTINGADAPTING TO THE FUTURE OF MALWARE
ATM & PAYMENTS INNOVATION SUMMIT 2018
Juan Jesús León - GMV
INTRODUCTIONA
TM
JA
CK
PO
TTIN
G -
AD
AP
TIN
G T
O
TH
E F
UTU
RE O
F M
ALW
AR
E
© Copyright GMV 2018. All rights reserved
WH
O I
S G
MV A global high tech technology group
Leader ATM logical Security vendor
• CHECKER ATM SECURITY
• Deployed in 35 countries and 150,000+ ATMs
www.gmv.com
© Copyright GMV 2018. All rights reserved
CMMI level 5Multinational technology
group
Founded in
1984
Private capital
Headquarters in Spain (Madrid)
Subsidiaries in 11 countries
1,600employees
Roots tied to Space
Aeronautics, Space, Defense, Security, Transportation, Healthcare, Banking & finances, and ICT industries
160M€worldwide revenue
TO
DA
Y W
E W
ILL
ADDRESS…
ATM cyber threats and protections
• Malware, Black-box and Network intrusions
• State-of-the-art protections
ATM cyber attacks today
• The “comfort zone”
• The “war zone”
Adapting to the future
EAST FCS Seminar 2018
© Copyright GMV 2018. All rights reserved
ATM CYBER THREATS & PROTECTIONS
ATM
JA
CK
PO
TTIN
G -
AD
AP
TIN
G T
O
TH
E F
UTU
RE O
F M
ALW
AR
E
© Copyright GMV 2018. All rights reserved
ATM
CY
BER
TH
REA
TS
Malware
Attack
Black Box
Attack
© Copyright GMV 2018. All rights reserved
Network
Intrusion
Jackpotting
On the rise
ATM
CY
BER
TH
REA
TS
© Copyright GMV 2018. All rights reserved
Jackpotting ≡ cash-out
Malware vs BlackBox Malware requires bypassing the protection of the ATM software stack to run malware on the actual ATM PC as it is already trusted by the dispenser
BlackBox means BYOD with all necessary tools to dispense, but requires re-pairingthe fraudster’s PC with the dispenser
Network attacksPenetrate the bank network to eventually reach the ATM network: It is likeconquering the fortress just to access the safe
OPTIONS: Using Insiders, infecting from external systems, use criminal organization hacking Resources, use availableATM software to remotely commandcash outs
ATM
CY
BER
PR
OTEC
TIO
N
© Copyright GMV 2018. All rights reserved
A_Windowshardening
• Remove unnecessaryapplications, services & components
• Remove unnecessaryusers, accounts & privileges
• Reasonable OS patchingpolicy in place
B_CyberProtection
• Whitelisting
• Integrity control
• Device control
• Hard disk encryption
• Integrated Firewall
• Security Event monitoring
• Surveillance cameras
C_DispenserProtection
• Dispenser mustauthenticate all PC commands
• Re-pairing requires secureaccess (eg Safe)
• Strict Dispenser Firmware patching Policy in place
ATM CYBERATTACKS
TODAY
ATM
JA
CK
PO
TTIN
G -
AD
AP
TIN
G T
O
TH
E F
UTU
RE O
F M
ALW
AR
E
© Copyright GMV 2018. All rights reserved
CO
MFO
RT Z
ON
E v
s.
WA
R Z
ON
E
Comfort zone War zoneRisk zone
TH
E C
OM
FO
RT Z
ON
E
TypicalAttack
• Infect withmalware using a USB pendrive
• Run malware using keyboard
• Disable defensesif needed
TypicalProtection
• Disableuntrusted USB
• Avoid unknownprograms to run
• Disablekeyboards
• Watch for offline
TypicalVulnerability
•No active protection•Incomplete
security policies•Lenient securitypolicies
© Copyright GMV 2018. All rights reserved
MALWARE ATTACK – COMFORT ZONE
TH
E C
OM
FO
RT Z
ON
E
TypicalAttack
• Open top box orhole in fascia
• ConnectblackBox to dispenser
• Re-pair ifconnection isencrypted
• Downgradedispenserfirmware ifneeded
TypicalProtection
• EncryptionbetweenDispenser and PC
• Common key usedto authenticate PC to dispenser
• Patch dispenserfirmware regularly
TypicalVulnerability
•None or limitedencryption•Low protection
level (Logical)•Vulnerable re-pairing procedure
© Copyright GMV 2018. All rights reserved
BLACKBOX ATTACK – COMFORT ZONE
TH
E C
OM
FO
RT Z
ON
E
TypicalAttack
• Insider takescontrol of SW distributionserver and SW cyberprotectionserver
TypicalProtection
• Segregated ATM network
• Active securitymonitoring
• Segregation of duties
TypicalVulnerability
•Inadequatepersonnelscreening
•Inadequateprocedural controls
© Copyright GMV 2018. All rights reserved
NETWORK INTRUSION– RISK ZONE
ENTER THE WAR ZONEW
AR
ZO
NE
EX
CLU
SIV
ES
!!
© Copyright GMV 2018. All rights reserved
© Copyright GMV 2018. All rights reserved
WA
R Z
ON
E E
XC
LU
SIV
E 1
: R
EFIN
ED
IN
FEC
TIO
NNetwork based storage Use a micro-PC with attached network storage
Connect to the ATM network via RJ45 and enable file sharing (SMB, NetBIOS…)
Abuse Windows featuresAn example is WPD – Windows Portable Devices, a plug&play feature for devicessuch as cameras, phones,…that automatically loads drivers and device files into PC
A complete Windows hardening is a very complex task
BYPASS USB PROTECTION
LATTEPANDA INTEL NUC
© Copyright GMV 2018. All rights reserved
Keyboard emulator Execute complex commands emulating a keyboard with preprogammed keystrokes in order to command cash out
Typically Arduino based
Takes advantage of general purpose tools cmd.exe, regedit.exe, explorer.exe… in ATM PC
BYPASS WHITELISTINGW
AR
ZO
NE E
XC
LU
SIV
E 2
: R
EFIN
ED
EX
EC
UTIO
N
© Copyright GMV 2018. All rights reserved
Endoscope attackThe cover of the cash dispense shutter is unscrewed and damaged
An endoscope with magnet or knob on its tip is inserted through the damaged shutter.
Tip of endoscope touches sensor or pushes button or toggle, depending on model, so as to trick the ATM into believing that vault is open
The Black Box can then be paired with the dispenser
Firmware downgradeSo that physical access to safe is no longer required to re-pair
Presentation at BlackHat USA 2018. Patch available from manufacturer.
RE-PAIRING BLACK BOXESW
AR
ZO
NE E
XC
LU
SIV
E 3
: R
EFIN
ED
SE
CU
RITY
BY
PA
SS
© Copyright GMV 2018. All rights reserved
Hack the Bank!Sophisticated intrusion into Bank’s network, typically by resourceful criminal organization
Escalate and move into network until all necessary servers are under control.
Remotely command cash-outs coordinated with mules. No specific ATM malware is required.
NETWORK INTRUSIONW
AR
ZO
NE E
XC
LU
SIV
E 4
: R
EFIN
ED
IN
TR
US
IO
N
(Source: TrendLabs: Cashing in on ATM Malware
© Copyright GMV 2018. All rights reserved
Preventing forensic analysisA good understanding of the attack is mandatory to understand how to protect
When crooks find a new way to insert and/or execute malware they take theirtime to ensure all traces are deleted after the attack
They definitely know how to do this
CROOKS KEEP ONE STEP AHEADW
AR
ZO
NE E
XC
LU
SIV
E 5
: R
EFIN
ED
HO
US
EK
EE
PIN
G
ADAPTING TO THE FUTURE
© Copyright GMV 2018. All rights reserved
ATM
JA
CK
PO
TTIN
G -
AD
AP
TIN
G T
O
TH
E F
UTU
RE O
F M
ALW
AR
E
© Copyright GMV 2018. All rights reserved
WA
R Z
ON
E:
LES
SO
NS
LEA
RN
T Today ATMs can be reasonably but
not perfectly protected.
Most relevant, efficient operation of an ATM network requires someleniency in the security policies, e.g.:
Allow USBs and administrative/diagnosis toolsused for on-site support.
Allow network file sharing and other remote
services used for remote support.
Actually, the needs for protection and efficient operation involve a trade-off.
Attackers are taking advantage of the fact thatprotection must coexist with dynamic operations
© Copyright GMV 2018. All rights reserved
BEH
AV
IO
UR
AN
ALY
SIS
In the real world malware will enterthrough any security breach. We needa final barrier.
ATMs are quite stable executionenvironments. Good candidates forbehaviour analysis.
ATM transactions workflow are specially stable. Even better candidates.
Jackpotting involves strong anomaliesin ATM behaviour. Detection of thatanomalies is the key.
ATM network complexity challenge: manufacturers, models, operating systems and applications, could make behaviour analysis non-viable
Malware is in the ATM. But not everything is lost!
© Copyright GMV 2018. All rights reserved
XFS
BEH
AV
IO
UR
AN
ALY
SIS
XFS provides a common API for accessing and manipulating various financial services devices regardless of the manufacturer.
Mitigates to some extent thechallenge resulting from large ATM networks complexity.
Multivendor solution by design.
Every XFS request can be analyzed and filtered.
Symbiotic relationship with a whitelisting solution. Togetherthey are stronger.
XFS: standard layer for ATM real-time anomaly detection
XFS Manager
XFS APIs
XFS SPIs
ATM Application
Malware
Service providers
XFS Filter 24/01/17 16:36:56 INIT TRANSACTION
24/01/17 16:36:56 CARD EMV: ************3688
24/01/17 16:37:02 VALIDATE TRANSACTION.
24/01/17 16:37:16 ASK PIN.
24/01/17 16:37:19 ASK PIN FINISHED.
24/01/17 16:37:19 PIN BLOCK.
24/01/17 16:37:20 PIN BLOCK FINISHED.
24/01/17 16:37:20 VALIDATE TRANSACTION.
24/01/17 16:37:20 COORDINATION NUMBER SENT: 9
24/01/17 16:37:20 BUFFERAMOUNT: 00000050
24/01/17 16:37:21 TRANSACTION REQUEST: AABB AA
24/01/17 16:37:25 HOST ANSWER. STATUS: A12. FUNCTION: U
24/01/17 16:37:25 TRANSACTION CURRENCY CODE: 0484.
24/01/17 16:37:25 TRANSACTION EXPONENT: 02.
24/01/17 16:37:25 TRANSACTION TYPE: 01.
24/01/17 16:37:25 TRANSACTION CATEGORY CODE: 5A.
24/01/17 16:37:26 OBTAINING PIN TRY COUNTER: 9F170105
24/01/17 16:37:26 READING INTERNATIONAL CVM [VD]
24/01/17 16:37:26 READING INTERNATIONAL IACS [VD]
24/01/17 16:37:26 FINISH PROCESS EMV RESPONSE.
24/01/17 16:37:26 HOST ANSWER. STATUS: 426 FUNCTION: 2
24/01/17 16:37:26 NOTE DISPENSE: 01000000
24/01/17 16:37:36 NOTES PRESENTED
24/01/17 16:37:46 NOTES EXTRACTED
24/01/17 16:37:51 COMMAND EJECT CARD.
24/01/17 16:37:53 COMMAND EJECT CARD FINISHED.
24/01/17 16:37:54 CARD EXTRACTED
24/01/17 16:37:54 END TRANSACTION
KE
EP
YO
UR
SELF I
NFO
RM
ED
!
Thank you!jjleon@gmv.com
New version available soon!
© Copyright GMV 2018. All rights reserved