Kaspersky Lab is investigating various methods of hacking ATMs: using remotely controlled malware, as well as using a Bluetooth keyboard and a drill.
You may have noticed that we really like ATMs. We don't hack them ourselves, of course, except for our own test samples, but if someone else does, we're happy to investigate. At SAS 2017, the main cybersecurity conference of the year, Kaspersky Lab specialists Sergey Golovanov and Igor Sumenkov talked about three interesting ways to hack an ATM.
However, the bank's employees still found something — a text file kl.txt. They suggested that "kl" might have something to do with KL, i.e. Kaspersky Lab, and contacted us with this question. That's how we started investigating this case.
Having received data from the same log.txt our researchers were able to formulate a rule for YARA, a malware research tool. Simply put, they set up a search query for a database of malicious files and waited. A day later, the search bore fruit: the file was found tv.dll which has already surfaced twice — in Russia and Kazakhstan. This thread was enough to unravel the whole knot.
After carefully examining the DLL file, our specialists were able to understand how the attack was carried out, and even reproduced it on a special ATM installed in our laboratory. And everything worked out: the tested ATM obediently gave them the banknotes loaded into it.
Fraudsters used open source and publicly available programs to infect bank computers. However, the malware turned out to be very clever: it stored its data in the system's RAM, and not on the hard disk, so it remained invisible for security solutions. Moreover, after the reboot, any traces of infection disappeared.
After taking control of the bank's computers, the malware connects to the command server and allows fraudsters to remotely upload malware directly to the ATM system.
This is how ATMitch gets to the ATM itself. Thanks to the configured tunnel from the command server to the bank, this all looks like a completely legitimate software update, so no security tool raises an alarm. Once inside, ATMitch searches for the file by name command.txt. It contains single-character commands that are used to control the ATM. For example, " O "means" Open the cash withdrawal tray".
After detecting the file, ATMitch first asks how much money is in the ATM, and then asks the machine to issue a certain number of bills. By this time, an accomplice of the criminals is just near the ATM, who takes the cash and disappears as if nothing had happened.
The criminals tried to cover up all traces, so the bank's specialists did not find any third-party executable files on the hard drive of the robbed ATM. After extracting the money, ATMitch even erased the file command.txt.
ATMitch is potentially capable of infecting any ATM that supports the XFS library, and almost all modern banking machines can do this. You can read more about this scam at securelist.ru.
We asked the bank's representatives to deliver the ATM to our office. After taking it apart, we found (what would you think?) a Bluetooth adapter connected to the ATM's USB hub. And on the hard disk there were drivers for the Bluetooth keyboard.
This was enough to reconstruct the entire scheme. So, first the fraudster connected the Bluetooth adapter to the ATM, and then waited three months for the logs to be cleared (they are stored for just that long). The criminal then returned, taped up the surveillance camera, took out a Bluetooth keyboard, plugged it in, and rebooted the device into maintenance mode. So he was able to launch a service team to empty money cassettes. Here, in fact, is the whole story number two.
This story began with another request from the bank: criminals hacked the ATM, leaving behind a perfectly round hole with a diameter of about 4 centimeters, right next to the keyboard from which they enter the PIN code. You probably think that ATMs are made of thick steel, but some parts are plastic, and they are quite easy to drill. The bank's specialists did not find any other evidence.
Then there were several similar incidents in Russia and Europe, except that the holes were not so round. Eventually, the police caught the suspect armed with a laptop computer and a set of wires.
Our specialists dismantled the ATM installed in the test lab to find out what the criminals were looking for next to the keyboard. There was a 10-pin connector connected to the bus that connected almost all the components of the ATM, from the computer to the cassettes with bills.
In addition, the ATM used very weak encryption, which could be easily cracked. So, once again, we briefly describe the situation: there is practically no encryption, so it's not a problem to understand the commands; by connecting to any part of the ATM, you can manage all its components, between which there is no authorization system, so any part can be replaced unnoticed by everyone else. Sounds pretty safe, doesn't it?
After spending as much as $15 and some time, we made a simple chip that we could use to control the ATM. By connecting it to the serial bus, we forced the tested ATM to give us fake money, which we used for testing purposes. It seems that the criminals did the same trick, only in their case, the ATM was charged with real money, and instead of a microchip, they used a laptop.
We reported the detected vulnerability to the bank. Unfortunately, as Igor Sumenkov explained, ATMs cannot be updated remotely — you need to change the hardware, that is, a technical specialist must get to each ATM and tinker with it for a while. And there are very, very many ATMs…
1. Are you going to withdraw your salary? Leave your drill and Bluetooth keyboard at home, otherwise bank employees may misunderstand you. Hey, we were joking, but put the drill down anyway!
2. If you are not a bank employee, none of these threats should bother you. These are the bank's problems, not its customers'.
3. But if you work in a bank and can somehow influence the security level of the ATM network, you have something to think about. All Kaspersky Lab solutions recognize ATMitch — we can easily help you with this. But we don't make anti-drill metal shields. On the other hand, a video surveillance system will be enough to solve this problem.
(c) https://www.kaspersky.ru/blog/sas-2017-atm-malware/14533/
You may have noticed that we really like ATMs. We don't hack them ourselves, of course, except for our own test samples, but if someone else does, we're happy to investigate. At SAS 2017, the main cybersecurity conference of the year, Kaspersky Lab specialists Sergey Golovanov and Igor Sumenkov talked about three interesting ways to hack an ATM.
ATMitch, remote-controlled malware
So the ATM was empty. After examining the machine, the bank's security service found no malware, no strange fingerprints, no traces of physical hacking or connection of any third-party devices capable of taking control of the ATM. No one found the money either.However, the bank's employees still found something — a text file kl.txt. They suggested that "kl" might have something to do with KL, i.e. Kaspersky Lab, and contacted us with this question. That's how we started investigating this case.
Having received data from the same log.txt our researchers were able to formulate a rule for YARA, a malware research tool. Simply put, they set up a search query for a database of malicious files and waited. A day later, the search bore fruit: the file was found tv.dll which has already surfaced twice — in Russia and Kazakhstan. This thread was enough to unravel the whole knot.
After carefully examining the DLL file, our specialists were able to understand how the attack was carried out, and even reproduced it on a special ATM installed in our laboratory. And everything worked out: the tested ATM obediently gave them the banknotes loaded into it.
ATMitch in action
The attack began with the fact that criminals broke into the bank's server, using a long-known but uncovered vulnerability (I remember we already said that it is necessary, important and useful to update the software — here is a vivid example).Fraudsters used open source and publicly available programs to infect bank computers. However, the malware turned out to be very clever: it stored its data in the system's RAM, and not on the hard disk, so it remained invisible for security solutions. Moreover, after the reboot, any traces of infection disappeared.
After taking control of the bank's computers, the malware connects to the command server and allows fraudsters to remotely upload malware directly to the ATM system.
This is how ATMitch gets to the ATM itself. Thanks to the configured tunnel from the command server to the bank, this all looks like a completely legitimate software update, so no security tool raises an alarm. Once inside, ATMitch searches for the file by name command.txt. It contains single-character commands that are used to control the ATM. For example, " O "means" Open the cash withdrawal tray".
After detecting the file, ATMitch first asks how much money is in the ATM, and then asks the machine to issue a certain number of bills. By this time, an accomplice of the criminals is just near the ATM, who takes the cash and disappears as if nothing had happened.
The criminals tried to cover up all traces, so the bank's specialists did not find any third-party executable files on the hard drive of the robbed ATM. After extracting the money, ATMitch even erased the file command.txt.
ATMitch is potentially capable of infecting any ATM that supports the XFS library, and almost all modern banking machines can do this. You can read more about this scam at securelist.ru.
Bl@ckb0x_m@g1k: a simple but very effective trick
This story is shorter. It all started with another call from the bank. A classic dead-end situation: empty logs, no suspicious files on the hard drive, moreover, the fraudster even taped the lens of the surveillance camera. Well, how to give up such a case?We asked the bank's representatives to deliver the ATM to our office. After taking it apart, we found (what would you think?) a Bluetooth adapter connected to the ATM's USB hub. And on the hard disk there were drivers for the Bluetooth keyboard.
This was enough to reconstruct the entire scheme. So, first the fraudster connected the Bluetooth adapter to the ATM, and then waited three months for the logs to be cleared (they are stored for just that long). The criminal then returned, taped up the surveillance camera, took out a Bluetooth keyboard, plugged it in, and rebooted the device into maintenance mode. So he was able to launch a service team to empty money cassettes. Here, in fact, is the whole story number two.
Drill. A real electric drill
Remote hacking and connecting a Bluetooth keyboard is even somewhat elegant, but there are also much more straightforward ways.This story began with another request from the bank: criminals hacked the ATM, leaving behind a perfectly round hole with a diameter of about 4 centimeters, right next to the keyboard from which they enter the PIN code. You probably think that ATMs are made of thick steel, but some parts are plastic, and they are quite easy to drill. The bank's specialists did not find any other evidence.
Then there were several similar incidents in Russia and Europe, except that the holes were not so round. Eventually, the police caught the suspect armed with a laptop computer and a set of wires.
Our specialists dismantled the ATM installed in the test lab to find out what the criminals were looking for next to the keyboard. There was a 10-pin connector connected to the bus that connected almost all the components of the ATM, from the computer to the cassettes with bills.
In addition, the ATM used very weak encryption, which could be easily cracked. So, once again, we briefly describe the situation: there is practically no encryption, so it's not a problem to understand the commands; by connecting to any part of the ATM, you can manage all its components, between which there is no authorization system, so any part can be replaced unnoticed by everyone else. Sounds pretty safe, doesn't it?
After spending as much as $15 and some time, we made a simple chip that we could use to control the ATM. By connecting it to the serial bus, we forced the tested ATM to give us fake money, which we used for testing purposes. It seems that the criminals did the same trick, only in their case, the ATM was charged with real money, and instead of a microchip, they used a laptop.
We reported the detected vulnerability to the bank. Unfortunately, as Igor Sumenkov explained, ATMs cannot be updated remotely — you need to change the hardware, that is, a technical specialist must get to each ATM and tinker with it for a while. And there are very, very many ATMs…
ATMs break down. So what?
Let's formulate a brief moral of all three stories.1. Are you going to withdraw your salary? Leave your drill and Bluetooth keyboard at home, otherwise bank employees may misunderstand you. Hey, we were joking, but put the drill down anyway!
2. If you are not a bank employee, none of these threats should bother you. These are the bank's problems, not its customers'.
3. But if you work in a bank and can somehow influence the security level of the ATM network, you have something to think about. All Kaspersky Lab solutions recognize ATMitch — we can easily help you with this. But we don't make anti-drill metal shields. On the other hand, a video surveillance system will be enough to solve this problem.
(c) https://www.kaspersky.ru/blog/sas-2017-atm-malware/14533/
