COBALT: ORGANIZED CRIME HITTING EUROPEAN ATMS
ATM malware is clearly a hot topic and a big concern nowadays for the banking industry. There is no doubt that the number of attacks is rapidly growing and that it is targeting all countries and regions.
In July 2016 cyber criminals cashed-out over 2 million $ from 34 ATMs at First Bank in Taiwan, and in August 2016 the Government Savings Bank in Thailand was hit, allowing the criminals to steal a total of 350.000$ in cash and obliging the bank to deactivate 3.300 ATMs, half of its network. As we anticipated in a recent blog post, these attacks were very likely to spread to other countries and regions, and now the turn has come for Europe.
A recent report from Russian Cyber security firm Group IB, shows that an organized cyber criminal group called COBALT has recently attacked ATMs in more than a dozen countries in Europe, including United Kingdom, Spain, Russia, Netherlands or Poland. This confirms some of the trends we have seen recently, like the fact that ATM attacks are becoming very professionally organized while they are moving from physical to logical attacks since the latter are far less risky and much more profitable than the former.
ATM attacks from within the internal network
The main novelty of the recent wave of ATM attacks is the fact that they are network-based attacks, that is, they do not require physical access to the ATM, but rather perform the infection from within the bank’s internal network.
This type of attack is the trendiest tactic of the moment, and although it is very sophisticated and requires a high level of planning and hacking skills, once the bank’s internal network is compromised, the attack is extremely effective and many ATMs can be simultaneously jackpotted, accounting for large payoffs.
That is the reason why organized criminal gangs, like COBALT, are dedicating big efforts to carefully plan and execute these types of attacks.
This is how the COBALT’s network-based ATM attack works:
- Criminals gain access to the financial institution internal network by means of spear phishing emails with malicious attachments
- Once inside the network, through privilege escalation techniques that exploit vulnerabilities in the domain controller, and further lateral movements, the criminals get to compromise critical systems with access to the ATM infrastructure
- The attackers build a network of infected systems that is centrally controlled by a command and control center, operated by the criminal gang and remaining undetected to the bank
- The operator gets access to the ATMs via Remote Desktop connections, and infects them by pushing the malware. Having done this, all the ecosystem is ready to launch the attack
- The ATM malware will abuse the standard XFS API to gain full control of the ATM dispenser allowing it to perform the jackpotting
- The attack is fully controlled by the gang’s operator, who remotely issues the cash-out commands and instructs the mules when they can collect the cash. A log of all activities is generated and collected by the operator to make sure the mules don’t go on their own
- Finally, after the attack is perpetrated, the operator remotely removes all evidences, preventing any trace of the attack from being recovered
The modus operandi of these attacks unveils a combination of sophisticated hacking techniques, deep knowledge of the bank’s internal infrastructure and ATM operations, and the use of cutting-edge ATM malware.
Again we believe that we are only at the early stages of these types of attacks which are very likely to widely spread and hit other countries and regions in the near future.
Security Measures against ATM Malware
Malware attacks are one of the biggest concerns in ATM fraud. Cyber criminals are extremely agile and innovative in producing new types of ATM logical attacks, since they are far less risky and much more profitable than traditional physical attacks, but they are also helped by the very poor security measures currently deployed on many ATM networks.
Every ATM is exposed to malware attacks and therefore, the application of robust and efficient security countermeasures becomes a basic and non-negotiable necessity.
On top of establishing standard security measures to prevent intrusion into the bank’s internal network, like regularly updating Microsoft software or implementing Anti-APT solutions, the critical part of the attack resides in the ATM itself, whose vulnerabilities are exploited to perform the cash-out.
Effectively managing the security of a network of ATMs requires a comprehensive protection model that would prevent execution of fraudulent software (Application Whitelisting) and block attempts to replace legitimate files (File Integrity Protection). Additionally, it is critical to monitor security aspects of the ATM machines, having a centralized view of the ATM network, while adding an extra control layer allowing to run custom remote actions to investigate or react to potential incidents.
Although not that relevant for this type of attack, it is also strongly recommended to prevent connection of untrusted hardware (HW Protection) and to avoid manipulation of hard disk data from outside the operating system (Full Disk Encryption), since these are other common infection vectors for ATM malware.
S21sec’s Approach to ATM Security
S21sec has extensive expertise in the development of security solutions adapted to the needs of the banking industry. Its product Lookwise Device Manager is an integrated multivendor security solution to manage the security of ATM networks, providing the most advanced set of countermeasures to block the new generation of logical-physical attacks based on malware. It also allows to monitor security aspects of the ATM machines, adding an extra control layer to run custom remote actions, all with minimal consumption of resources, thus limiting the impact on the performance of the ATM.
S21sec also provides specialized and advanced security services for financial organizations.
We are members and sponsors of the main ATM industry associations, like ATMIA and ATEFI.
For further information please contact us.
Juan Ramón Aramendía
S21sec Product Marketing Manager