ATMs Are Not Immune to Supply Chain Attacks and Other Digital Threats
Internet-connected Automated teller machines (ATMs) can be discovered using dedicated search engines and specific keywords and then ensnared into botnets, Kaspersky Lab researchers believe.
With large sums of cash being loaded into ATMs on a daily basis, it’s no wonder that these devices are targeted by cybercriminals. And while some crooks take a blunt approach to getting into an ATM, using physical force, others prefer targeting the software running on the machine to make it spill out the cash, Kaspersky’s Olga Kochetova and Alexey Osipov explained at the DefCamp 2017 security conference in Bucharest last week.
There's no denying that ATMs run vulnerable software, they say. Many of the machines run the outdated, already retired Windows XP, meaning they are vulnerable by default, while others might have some unnecessary but flawed applications running on them, such as TeamViewer or an older, flawed variant of Adobe Acrobat Reader.
What’s more, banks often do not keep their ATMs updated, which also makes them vulnerable to malware and other types of attacks, the researchers say. The security inside the ATM is usually poor and the parts of the chain protecting the cash aren’t secured separately, meaning that the entire chain ca be compromised when a single part is exploited.
Accessing the software running on an ATM provides malicious actors with control over the cash cassettes inside the machine, thus allowing them to extract the cash. However, access to a single machine could also provide the actor with the ability to compromise the bank’s entire network of ATMs, Kaspersky’s researchers say.
There are multiple ways in which an attacker could achieve this, Kochetova and Osipov told SecurityWeek during a private talk at the DefCamp conference: by physically accessing an ATM to install a device in it, by compromising the computers that oversee the bank’s ATMs, and even by a supply-chain attack that focuses on the firmware that vendors or maintenance teams install on the machines.
“With access to an ATM, an actor could install a device in one ATM to send commands to all machines in the network. These commands would look like they come from the central command center. The actor can then use blank cards, or any cards, and withdraw cash from any ATM in the network,” the researchers explained.
This is possible because all of a bank’s ATMs are typically connected to a flat network, which means that every machine in the network could see all other connected machines. Thus, if the attacker’s device is implanted in an ATM directly connected to the network cable, it could allow an attacker to remotely control the machines. It is a classic example of man-in-the-middle attack (MitM), the researchers say.
They also pointed out that all evidence would disappear once the malicious device has been extracted from the ATM. Although a possibility, no such botnet has been observed to date. What has been seen, however, was a bank’s network being infected with an information stealer.
“This can be seen as a kind of an ATM botnet, since all machines were infected and the actor was remotely collecting data from them,” Kochetova said. “It is also possible that some crooks somewhere in the world are preparing an attack with money-withdrawal malware instead of sniffers,” she continued.
Attackers could also get the VPN drive out of the ATM and connect to the bank’s network through it without anyone noticing, Osipov explains. Such VPN devices are designed to work regardless of the host machine, so the attacker could use it with their own computer.
One other effective method of infiltrating ATM networks is to discover the machines that are online using specialized search engines such as Shodan, the researchers say. Although banks usually claim that no ATM is online, these devices can be easily found if the right keywords or phrases are used to perform the search, Kochetova and Osipov explained.
While the attack vector has been used before (specialized search engines can be used to discover vulnerable Internet of Things (IoT) devices, unsecured databases, and other types of Internet-facing devices), it is relatively new when it comes to finding ATMs.
Once they have discovered the online ATMs, the malicious actor can start checking for open ports and then attempt to compromise machines using known exploits. Thus, attackers could install information-stealing malware on the ATMs or ensnare them into botnets.
Infecting workstations inside the bank and then expanding the footprint to the entire network, including ATMs, is another compromise technique that attackers (such as the Cobalt hacking group) are using.
Recent attacks such as CCleaner and NotPetya have demonstrated the impact supply-chain attacks could have on a global scale, and Kaspersky’s researchers say that ATMs aren’t safe from this type of assaults either. To be successful, the attacker would target the “golden image” used to install the operating system and all running software on an ATM.
“We already observed incidents where ordinary malware ended up on an ATM through an infected USB drive that a technician connected to the machine. Thus, if an infected ‘golden image’ is used, the technician would never even notice the compromise. Of course, the attacker would have to know what specific software to install on that ‘golden image’ to compromise the ATMs without being noticed,” Osipov said.
“The same would happen if a service provider is used as a vector of attack. No one would notice the compromise,” he also said.
An ATM botnet could also be used to mine crypto-currency. Crypto miners have become highly popular over the past few years and an increasing number of malicious attacks focused on deploying such software was observed this year. Because they have computing power, ATMs can be used for mining too.
“In the end, every ATM is yet another type of computer. This means it can be hacked if the right vulnerabilities are discovered,” Kochetova pointed out. “It is the same as with CCTV cameras that are infected to create IoT botnets,” she concluded.