ATM malware is clearly a hot topic and a big concern nowadays for the banking industry. Our experience in this field, backed by recent incidents, shows that this rapidly growing threat is severely hitting ATM infrastructures worldwide. A recent report from Europol and TrendMicro shows also highligts that ATM malware is on the rise.
The attackers were able to breach the financial institution’s internal network, then moving laterally and compromising the software distribution system, which was used to push the malware to multiple ATMs. Once installed on the ATMs, the malware dubbed “RIPPER” was used to “jackpot” them.
The modus operandi of these attacks unveils a combination of sophisticated hacking techniques, deep knowledge of the bank’s internal infrastructure and ATM operations, and the use of cutting-edge ATM malware.
Although the attack has been reported in Thailand, it is highly probable that it has or will hit other countries or regions, and it actually resembles the Carbanak attack that shocked the industry in 2015 (see our blog post).
ATM Jackpotting using RIPPER MalwareATM jackpotting, or the use of malware to “cash-out” ATMs, is nowadays one of the trendiest ATM cybercrime tactics. It is used by the criminals to gain full control of the ATM hardware devices like dispenser, card reader and pinpad, allowing them to steal huge amounts of money in cash without having to use a credit or debit card.
Although jackpotting is nothing new, and there are many well-known malware families using similar techniques (Tyupkin, Suceful, Greendispenser…), the attacks in Thailand seem to be using a new generation of malware dubbed “RIPPER”.
This is how the ATM Jackpotting attack works:
- Criminals gain access to the financial institution internal network
- Once inside the network, through lateral movement, the criminals get to compromise the software distribution system
- The compromised software distribution system is used to push the “RIPPER” malware to multiple ATMs, without the need to have physical access to infect them, as it is the case with the Tyupkin attacks (see our blog post)
- RIPPER can maintain persistence in the ATM using two modes: either as a new service or masquerading as a legitimate ATM process (killing the legitimate ATM process and replacing the executable file)
- The malware runs in the background awaiting for the criminal to insert an specially manufactured ATM card with a malicious EMV chip
- Once the malware is activated through the malicious card, it will take control of the ATM, displaying a custom GUI allowing the criminal to perform the cash-out
- RIPPER also includes some advanced options like disabling the network or removing any traces of the attack (executables, logs)
Security Measures against ATM MalwareCyber-criminals are extremely agile and innovative in producing new types of ATM logical attacks, since they are far less risky and much more profitable than traditional physical attacks, but they are also helped by the very poor security measures currently deployed on many ATMs.
Every ATM is exposed to malware attacks and therefore, the application of robust and efficient security countermeasures becomes a basic and non-negotiable necessity.
Effectively managing the security of an ATM network requires a comprehensive protection model that would prevent execution of fraudulent software (Application Whitelisting), block attempts to replace legitimate files (File Integrity Protection), prevent connection of untrusted hardware (HW Protection) and avoid manipulation of hard disk data from outside the operating system (Full Disk Encryption).
Additionally, it is critical to monitor security aspects of the ATM machines, having a centralized view of the ATM network, while adding an extra control layer allowing to run custom remote actions to investigate or react to potential incidents.
In the case of the RIPPER attacks, Application Whitelisting would have avoided RIPPER to run as a new service, while File Integrity Protection would have prevented RIPPER from masquerading itself replacing legitimate files. A continuous monitoring the ATM connectivity would have alerted of the disconnection of the attacked ATMs, and the ability to run remote custom actions would help to quickly and remotely identify and clean the infected ATMs, without the need to deactivate them to physically send technicians on-site to perform this job.
S21sec Approach to ATM SecurityS21sec has extensive expertise in the development of solutions adapted to the needs of the banking industry. Its product Lookwise Device Manager is an integrated multivendor security solution to manage the security of ATM networks, providing the most advanced set of countermeasures to block the new generation of logical-physical attacks based on malware. It also allows to monitor security aspects of the ATM machines, adding an extra control layer to run custom remote actions, all with minimal consumption of resources, thus limiting the impact on the performance of the ATM.
S21sec also provides specialized and advanced security services for financial organizations.
We are members and sponsors of the main ATM industry associations, like ATMIA and ATEFI.
For further information please contact us.
Juan Ramón Aramendía
S21sec Product Marketing Manager