On October 2014, an investigation from the international police organization Interpol alerted of a new type of banking malware, called Tyupkin, that allowed criminals to gain full control of ATM machines, allowing them to steal huge amounts of money in cash without having to use a credit or debit card (see our blog post).
Far from being an isolated case, recent events show a boost on ATM targeted malware attacks, with a variety of attack vectors all sharing a common target, stealing huge amounts of cash directly from the bank, leaving their customers apart.
The hottest topic to date is the Carbanak APT (also known as Anunak), a sophisticated cyberattack affecting financial institutions in more than 30 countries with cumulative losses of up to 1 billion USD.
The attack vector consisted in compromising the victim’s network, by means of spear phishing emails that downloaded the malicious code which was later propagated to critical systems.
Having infected key users, attackers spied them to get detailed knowledge of internal working tools and procedures, to enable them to mimic their activities to perform fraudulent actions while remaining unnoticed by the bank’s fraud detection systems.
Although the criminals pursued multiple routes, one of the relevant targets was the control of the Automated Teller Machines (ATM) network.
ATM Network Control with Carbanak
Once the Carbanak APT successfully compromised the victim´s network, the attackers managed to gain access to the ATM management infrastructure and infect those systems with their own malicious software.
Although there might be more attack techniques not yet discovered, evidences of the following ATM targeted malware attacks have been found:
- Change Denomination of Withdrawal Banknotes
The ATM was manipulated to modify the banknote denominations, allowing mules to withdraw more money than actually registered in the transaction.
- The attackers uploaded malicious scripts and modified the ATM operating system registry to change denominations of issued banknotes. As a result, a transaction for 10 notes with denomination of 100 roubles gave the attackers 10 notes with denomination of 5,000 roubles.
- Remote Withdrawal of Cash from Dispenser
The ATM network was used to dispense cash from certain ATMs at certain times where money mules were ready to collect it.
The attackers used a modified debug program that accepts commands to issue money from the dispenser. The original program only works when the ATM door is opened, but the tampered one ignored it.
The criminals were able to control computers that had access to the internal ATM network, using them to remotely issue cash withdrawal commands.
Based on these evidences we can say that the Carbanak campaign is a clear indicator of a new era in cybercrime in which criminals use APT techniques directly against the financial industry instead of through its customers. APTs are not only for stealing information anymore.
ATM Targeted Malware vs Lack of Security Measures
Malware attacks are one of the biggest concerns in ATM fraud since they are far less risky and much more profitable than traditional skimming or physical attacks.
The criminals are extremely agile and innovative in producing new types of malware to launch direct APT-like attacks against banks, but they are also helped by the very poor security of ATMs, still running old-fashioned Microsoft systems, and the weaknesses in the ATM infrastructure.
Every ATM is exposed to malware attacks and therefore applying strong security countermeasures is a must. An integrated security solution based on Application Whitelisting, Full Disk Encryption, HW Protection and File Protection, provides the most advanced and most effective countermeasure capability to stop this new generation of attacks.
In the case of the above mentioned attacks, Application Whitelisting would have avoided to run the script to change the banknote denominations, while File Protection would have prevented the attackers from replacing the ATM debug program binary.
S21sec Approach to ATM Security
S21sec has extensive expertise in the development of solutions adapted to the needs of the banking industry. Its product Lookwise Device Manager helps to protect ATM networks from logical attacks by restricting its usage to only authorized hardware or processes, monitoring ATM activity, and allowing to execute remote actions.
S21sec also provides specialized and advanced security services for financial organizations.
We are members of ATMIA and ATEFI industry associations.
Juan Ramón Aramendía
Lookwise Product Marketing Manager