In the decade Since hacker Barnaby Jack famously spray-painted an ATM on the stage at the 2010 Black Hat security conference in Las Vegas, so-called jackpotting has become a popular criminal era, with heists netting tens of millions of dollars around the world. And over time, attackers have become increasingly savvy in their methods.
At last week’s Black Hat and Defcon security conferences, investigators dug into recent developments in ATM hacking. Criminals have increasingly tuned their malware to even manipulate niche-proprietary banking software to steal ATMs, while still capturing the best of the classics – including discovering new remote attacks to target specific ATMs.
During Black Hat, Kevin Perlow, the technical team of threat information at a large, private financial institution, analyzed two cash-out tactics that represent different current approaches to jackpotting. One looked at the ATM malware, known as INJX_Pure, first seen in the spring of 2019. INJX_Pure manipulates both the eXtensions for Financial Services (XFS) interface – which supports basic functions on an ATM, such as executing and coordinating of the PIN pad, card reader and cash dispenser – and a bank’s own software together to cause jackpotting. The original malware samples were uploaded to scanners from Mexico and then later from Colombia, but little is known about the actors using INJX_Pure. However, the malware is important because it is tuned to the ATMs of a specific bank, probably in a specific region, indicating that it may be worthwhile to make even limited use as targeted jackpotting malware instead of just focusing on tool that will work all over the world.
“It’s just to intimidate actors in general to use XFS in their ATM malware to get an ATM to do things it does not need to do, but the implementation of the INJX_Pure developer of it was unique and very specific for certain purposes, “says Perlow.
In July, ATM maker Diebold Nixdorf issued a similar warning about another type of malware, saying that an attacker in Europe had ATMs jackpot by targeting his own software.
Perlow also looked at FASTCash malware, used in jackpotting campaigns that the Homeland Security Department’s Cybersecurity and Infrastructure Security Agency assigned to North Korean hackers in October 2018. North Korea has used the malware to cash in tens of millions of dollars from the world that coordinated groups collect money mice and then know. FASTCash is not focused on the ATMs themselves, but a standard for financial card transactions, known as ISO-8583. The malware infects software that runs on what are known as “payment exchanges”, financing infrastructure devices that run systems that are responsible for tracking and killing information from ATMs and bank responses. By infecting one of these switches instead of attacks on an individual ATM, FASTCash attacks can coordinate cash outs of dozens of ATMs simultaneously.
“If you can do this, you no longer have to place malware on 500 ATMs,” Perlow says. “That’s the advantage, why is it so clever.”
The attacks continue even in a controlled lab setting. Investigators from embedded device security company Red Balloon Security detailed two specific vulnerabilities in so-called retail ATMs made by Nautilus Hyosung. These are the types of ATMs you would find in a bar or corner store, as opposed to the “financial” ATMs used in banks. The vulnerabilities could be exploited by an attacker on the same network as a victim’s ATM to take control of the device and spend cash without physical interaction.
Hyosung, with more than 140,000 ATMs deployed in the United States in total, repaired the defects in early September. But as with many connected devices, there can be a big gap between offering a fix and getting ATM operators to install it. Red Balloon researchers estimate that as many as 80,000 ATMs in the US were still vulnerable.
.
