Search This Blog

Showing posts with label ATM Hacking. Show all posts

Lazarus, Cobalt, and FIN7 Cyber Groups Allegedly Opened Fire on the Financial Industry


A study titled "Follow the Money" by Outpost24's Blueliv that addressed the financial sector, aims to identify and follow groups that are big perpetrators of financial theft and fraud. The Lazarus, Cobalt, and FIN7 threat groups were determined to be the most common threat actors targeting financial institutions. As the Covid-19 pandemic has further aggravated the situation by disrupting training and operations, it's no surprise that cyber attacks on financial institutions are on the rise. 

Attacking banks provide various possibilities for profit for cybercriminals through extortion, theft, and fraud, while nation-states and hacktivists also target the financial industry for political and ideological leverage. The Strategic Technologies Program investigates the evolution of cyber risks to the financial system, as well as legal and regulatory attempts to improve its defenses.

Lazarus is a North Korean state-sponsored advanced persistent threat (APT) group that has been linked to high-profile assaults on Sony Pictures Entertainment, the Bangladesh Bank via SWIFT, and the WannaCry ransomware epidemic in 2017. Banks, casinos, financial investing software producers, and crypto-currency enterprises are among the companies involved. 

The group's virus has lately been discovered in 18 nations around the world. A vulnerability in one of the targeted organization's servers is discovered by the Lazarus team. It infects a website that was accessed by employees of a particular organization, uses malware to access the target's IT infrastructure, and finds a server running SWIFT software. This group tries to drain the company's accounts by downloading new malware that could communicate with SWIFT software. 

Cobalt has been linked to attacks against financial institutions around the world, resulting in the theft of millions of dollars, since at least 2016. It first appeared on the scene with an ATM jackpotting attack on a Taiwanese bank. Despite the arrests, the gang is believed to be still functioning. To break into networks, the Cobalt group uses social engineering—users open infected attachments from phishing emails that are disguised to look like messages from reputable corporations and regulatory agencies. These attachments contain a document file that either downloads or contains a dropper in a password-protected archive from a remote server.

Another important, profit-driven threat group is FIN7, which specializes in Business Email Compromise (BEC) and the deployment of Point-of-Sale (PoS) malware designed to steal large amounts of customer credit card information from businesses. While banking and finance cybersecurity tactics are evolving, there are still numerous improvements that can be addressed, according to Blueliv.

How Cybercriminals are Hacking ATM Machines? Here's a Quick Look


Security researchers have published a report on the modus operandi of the cybercriminals who are using malware, a key from eBay, and a Raspberry Pi to hack ATMs. Here’s how they’re doing it. 

The Modus Operandi

Cybercriminals exploit the vulnerabilities in the operating system of the computers responsible for running the ATMs. Unfortunately, the operating system inside the computers isn’t as secured as the enclosure the computer sits in. Windows 7 is the most common operating system; however, Windows XP is also widely used. These are outdated operating systems that should have made to retire a long time ago. 

Threat actors purchase malware packages from the dark web to exploit the vulnerabilities in these operating systems and to interact with the ATM software. Some of the malware packs contain compromised proprietary software belonging to ATM manufacturers.

Before hacking the ATM, cybercriminals mark the ATMs in a city, and the ones with the high use are targeted. Attacks are typically planned for days such as Black Friday or Valentine’s Day when ATMs are loaded with up to 20 percent more money than usual. ATMs are also loaded with extra money in the weeks leading up to Christmas because many people receive their yearly or Christmas bonus in their pay.

Choice of ATM Brands and Malware Installation 

The popular names in ATM manufacturing are Diebold Nixdorf, Wincor Nixdorf, NCR, Triton, and Hitachi-Omron. Cybercriminals are very specific in their targets because the knowledge of ATM hardware helps threat actors to buy the appropriate malware and the appropriate key to open the ATM enclosure.

The USB ports on ATMs are restricted and will only accept a connection from a keyboard or a mouse. This is to allow servicemen to perform maintenance on the units. You would have loaded the malware onto your Raspberry Pi, and obtained a battery so that it can run as a portable unit. The malware is written in a way that convinces the ATM that the Raspberry Pi is a keyboard. Stored commands tumble out of the Raspberry Pi into the ATM, and the ATM dutifully follows them. 

Another way is to insert a USB memory stick into the ATM and reboot it off an operating system in the memory stick. When the ATM has booted, threat actors can install the malware directly into the ATM’s currently dormant operating system. When they reboot the ATM using its regular operating system they can control the malware by inserting a specially created card, or via a secret key combination on the ATM’s keypad.

United States Issues Alert on North Korean Threat Actors Finding Better Ways to Rob Banks

The Cybersecurity and Infrastructure Security Agency (CISA), the U.S. Treasury Department, the FBI, and U.S. Cyber Command issued a joint warning on August 26th, alerting that North Korean hackers have reopened their campaign of targeting banks across the globe by making fraudulent transactions and ATM cash-outs.

The threat actors have made a systematic effort to attack financial institutions worldwide. They employ bold methods that do not guarantee a 100% success rate. However, these North Korean hackers have manipulated the ways in which some of the largest financial institutions interact with the international banking system. They dupe components of the system into making their hackers seem to be legitimate users; it allows them to transfer tens of millions of dollars into their accounts.

As these hackers continually intruded into bank transaction records and log files, financial institutions were prompted to release security alerts and necessary upgrades to counter and hence limit the threat. In haste to acquire valuable user data for ransom, these hackers have tampered hundreds of thousands of machines across the globe.

Notably, the attackers derived value from their failures and have amended their modus operandi in order to be more effective in their operations and fraudulent campaigns which can be seen in the $81 dollar theft from a Bangladeshi bank carried out by them in 2016. Other instances of their most profitable operations include attacking 30 countries in one single incident of fraudulent ATM cash-outs.

The alert came up with an “overview of North Korea’s extensive, global cyber-enabled bank robbery scheme, a short profile of the group responsible for this activity, in-depth technical analysis, and detection and mitigation recommendations to counter this ongoing threat to the Financial Services sector.”

These attackers’ “international robbery scheme” poses a “severe operational risk” for individual banks beyond reputational harm and financial losses. A robbery directed at one bank may implicate multiple banks “in both the theft and the flow of illicit funds back to North Korea,” as per the alert.

They “initially targeted switch applications at individual banks with FASTCash malware but, more recently, have targeted at least two regional interbank payment processors,” the alert states, cautioning that this suggests the hackers “are exploring upstream opportunities in the payments ecosystem.” The alert further warned.

Black Box: A New ATM Attack that Diebold Nixdorf Warns Off

A unique kind of ATM attack has come to surface called "Black Box." ATM developer Nixdorf warns the financial sector to stay on alert. The attack was widespread accross Europe recently. The Black Box ATM attacks are similar to Jackpotting, in which hackers make the ATMs dispense out cash in piles. Hackers use jackpotting to attach a malware in the ATM or use a black box instead. "Some of the successful attacks show a new adapted Modus Operandi on how the attack is performed.
"Although the fraudster is still connecting an external device, at this stage of our investigations, it appears that this device also contains parts of the software stack of the attacked ATM," says Diebold.

In the case of black-box attacks, the hacker tampers with the ATM's external casing and gets access to the port. The hacker can also put a hole in the machine to find internal wires and connectors. Once the hacker has access, he connects the black-box with the ATM through a laptop, building a connection with the internal systems. After this, the hacker then has control over the command options and uses it to dispense cash out of the ATM.

These kinds of jackpotting attacks on ATMs have happened for a decade. The jackpotting attacks have been quite famous among gangs, as the method is very cost-effective and profitable. Jackpotting attacks are more straightforward compared to cloning cards, ATM skimming, and laundering money, which consumes quite a lot of time. Another reason for the popularity of black-box attacks is that the noob hackers (amateur) don't have to spend a lot of money to get a black box. One can purchase a device and launch an ATM attack without having to spare a lot of time.

"In recent incidents, attackers focus on outdoor systems and are destroying parts of the fascia to gain physical access to the head compartment. Next, the USB cable between the CMD-V4 dispenser and the special electronics, or the cable between special electronics and the ATM PC, was unplugged. This cable is connected to the black box of the attacker to send illegitimate dispense commands," says Diebold on his website.

ATM Attacks-Know how ATMs can be hacked under 20 minutes!!!

Want to know something interesting and alarming? A research report published last year revealed that most ATM's can be hacked in less than 20 minutes. And extensive research showed that 85% of ATMs allowed attackers access to the network and 58% had vulnerabilities in their programmes that could be used to control the machine from far of location.

This research concludes the extreme fragility of ATM machines and can be a huge threat as they not only hold huge amounts of cash but also user data and if the data entered by user like pin, phone number or card could be traced then it poses a grave security issue.

CloudSek, after this report scrounged the dark web to find the various ATM hacking strategies and counjoured up a list to make people more aware and stay safe from cyber crimes.

Method 1: ATM Malware Card

This is the most popular method out there. It includes an entire malware kit containing ATM Malware Card, PIN Descriptor, Trigger Card and an Instruction Guide.
Once the Malware Card is installed, all the user information is captured in the machine and then hackers using Trigger Card can dispense all the cash from the ATM.
The kit comes with step by step procedure clearly explained and Windows XP supportable.

Method 2: USB ATM Malware

This is also windows XP supported. It allows hackers to dispense cash from ATM via Malware-hosted USB .

Method 3 : ATM Hacking Appliances

According to CloudSek, "There are a number of ATM Skimmer Shops on the dark web that offer various ATM Hacking Appliances such as EMV Skimmer, GSM Receiver, ATM Skimmer, POS, Gas Pump, Deep Insert, etc. Many shops offer a package of these different devices together."
"These shops are available on the dark web and keep getting updated with newer devices including Terminals, Upgraded Antenna, custom-made ATM Skimmers, RFID Reader/Writer, and so on."

Method 4 : Prepaid Cards

Some sites on the dark web offer cards like Bank Fulls and physical cards that can be used for online transactions and as debit cards in ATM respectively.

Method 5: Tutorials and Case Studies

There are a range of tutorials and case studies on the dark web as to how to hack ATMs . To site one, there is a forum that gives detailed account on how to access these machines using Botnets.

Method 6: Ploutus-D 
This was used in a recent ATM hack, where it gained control of the machine, the cash dispenser, card reader, and pin pad. The source code of Ploutus-D is now being sold on the dark web.

In Conclusion

It's not easy to comprehend that a machine so extensively used in daily life could be so easy to hack and could be siphoning your money to hackers but ATM attacks are becoming quite common, a hard pill to swallow but it's the reality. 

Cases of Net Banking and ATM Frauds Increase by 50% in New Delhi

Cases of illegal matters like Net Banking, ATM hackings, and fraud banking cards rose over 50% to pass more than 52,000 cases in the year 2018, with New Delhi being the banking scams metropolis estimating for approximately 27% of the recorded instances of "theft of money." The Indian Government, however, replies by saying the situation is not that bad as the amount of money stolen in such instances have dropped. Cases of theft related to Netanking, ATMs, and transactions have risen by 50%. But the amount of fraud money involved in these cases has fallen by 12%.

The capital New Delhi amounts for 3,164 complaints registered, top in the list of ATM frauds cities. However, the figures in the public sector ATM frauds are quite staggering. State Bank of India, which has more than 58,000 ATMs throughout the country, has been the victim of 1 out of 5 frauds happening to its ATM. SBI amounts to 25% of the ATM frauds that happened in 2018-19. Following SBI is IDBI Bank, which is second in the list of ATM frauds. According to IDBI's website, the bank has over 3700 ATMs in the country, and it reports 1800 cases of scam. IDBI amounts for 15 % of the ATM heists cases between 2017 and 19.

As of now, the Indian government has not revealed the causes that led to the fraud. The bankers, on the other hand, say that India has been falling prey to banking frauds day by day, at the time when the country is working to develop its infrastructure to protect itself. "The country is observing a large entrance of frauds from alien nations as the support system in Europe has been enhanced, causing more trouble for the fraudsters," says a banker.

Whereas, another banker says that hidden cameras are being planted over the ATM keyboards for spying the pin codes, and different hacking methods like viruses are being deployed by the hackers in the ATMs to steal all the money. The RBI has announced specific measures to control the situation but the banks are very slow in responding to the measures suggested.

A new Malware that makes ATMs to dispense all the cash is making the hype, here's everything you need to know.

Malware isn't a new thing, as we all are quite aware of it, but it varies with time, and so does the threat levels that it imposes. A Malware may attempt to swipe your password, or infiltrate your system, or quietly monitor your browsing activity. However, the most threatening Malware is one that tries to steal all that you have earned. This is known as Jackpotting, which targets only ATMs. The name is termed so because jackpotting forces the ATMs to give all the cash that it has inside it. This can be a concern for the general public as the cases of jackpotting are rising every day.

"Hackers throughout the globe are apprehending this is a low-cost and simple way to get some easy money. The ATMs with old software are targeted using black market code software, and the hackers are strolling off with millions in their pockets," says a collaborative study of Motherboard and German newsroom Bayerischer Rundfunk.

When jackpotting occurs, it doesn't matter how tech-savvy your ATM or bank is, the reason being is it all depends on the software. If the ATMs run on insecure and antiquated software, hackers can effortlessly steal out all your money. A few of the prominent cases of jackpotting attacks happened in Germany in the year 2017. Earlier studies claim that the cases of jackpotting have decreased in numbers but a new study reveals that it has become very common. "Survey conducted in 2019 shows that the crimes are rising," says David Tente, ATM Industry Association. Other unknown sources accepted the same. "Crimes are happening, but mostly it's not announced," said one.

The crimes in countries like Russia and Germany and many other places in Europe are mostly carried out by Russian software named Cutlet. The software can be purchased for a mere $1,000. While in the U.S, Ploutus D is a popular software for jackpotting. "The wicked fellows are trading this malware to anybody," says David Sancho, proficient at jackpotting, cybersecurity firm Trend Micro. "Probably this can stir any nation around the globe."

Canara bank issues advisory for ATM users after fraud bid

Over the last few days, a video of a cautious user who spotted a device to read debit card data at a Canara Bank ATM in New Delhi is being circulated widely. The video was shared by a Twitter user @rose_k01. Canara Bank was quick to address the issue, as it responded by ensuring there was no breach of sensitive user data. "It has come to our notice that a video is being circulated on an attempted fraud on one of our ATMs by installing a skimming device. This attempt, which was made in one of our ATMs in Delhi, was found out immediately and the devices were removed expeditiously. Thus no data compromise has happened. We have closed down this particular ATM pending completion of police investigation," Canara Bank said in a tweet.

“We, at Canara Bank take strict measures to safeguard our customers. We immediately located and removed the skimmer from Gowtami Nagar, Delhi ATM," the public sector bank added. The bank further informed through the same tweet that no data has been compromised.

Canara Bank said it has already taken some proactive, preventive and customer friendly measures to protect the interest of customers, so as to prevent loss of their precious money, the bank said further in the tweet.

1) Canara mServe Mobile app: Using the app, customers can switch off their credit or debit cards when not in use thereby preventing any unauthorise use.

2)The bank is installing anti-skimming and terminal security solutions in all the ATMs across the country.

3) For withdrawal of more than ₹10,000 from our ATMs by any of our customers, an OTP facility as additional security feature has been introduced thereby preventing unauthorized use.

4)Bank is flashing Do's/Don'ts to all customers through social media and SMS.

5) Fraudulent transactions due to third-party breaches where neither the customer nor bank is at fault, there cannot be any liability to the customer under the norms on limiting customer liability in unauthorised transactions, in case the incident is reported within three days. Thus the customer is totally protected from any monetary loss.

Russian hacker convicted of hacking a payment system and stealing from ATMs

The court of the Saratov region found guilty a local resident who hacked and gained access to the website of the Omsk company collecting utility payments.

A 19-year-old hacker was accused under the article "unauthorized access to computer information." Employees of the Federal Security Service of Russia in the Omsk region found and detained him.

Omsk investigators found that in the autumn of 2017 the defendant hacked into the payment system using special software from his home computer. The system was intended to make online payment of utilities.

As a result, the hacker was able to gain access to user personal accounts. After copying all the information, he contacted representatives of the Service and offered for a fee to provide information about the way to fix the vulnerability in the security system.

The court found him guilty and sentenced him to twelve months for unauthorized access to computer information.

At the same time in Krasnoyarsk, it turned out that the hacker group hacked the management system of ATMs using special devices.

According to Irina Volk, the official representative of the Ministry of Internal Affairs of Russia, a criminal group of three men aged 24 to 57 years committed 27 crimes from October 2017 to February 2018. However, at the time of the arrest, the defendants were involved in 8 similar crimes, the total amount of damage was 15 million rubles. So, the number of crimes and damage has doubled for today.

Hackers worked at night, used software to disable the security system then opened payment terminals.

Criminals were detained by the police when committing another theft. During searches, police seized the computer equipment, tools and two expensive cars bought on the stolen money.

Hackers are waiting in custody the verdict of the court. They are charged under six articles.

ATM malware attacks are on the rise

In the past few months prevalence of hacking ATM has increased.

Some time ago 3 ATM’s have been attacked in India. It was found that the hackers used the Malware "GREENDISPENSER".

In this article we will look at methods of hacking ATM. Artur Garipov, Senior Research Specialist at Positive Technologies, helped us to understand how such hacks work and explained to us different methodologies .

For example, very famous virus is Tyupkin (PadPin), which steals card information.Sometimes attackers put fake ATMs, skimmers (devices that make "snapshot" dump of your credit cards) and so on. But that is a topic for another article.

In our opinion (EHN) ATM malware continues to evolve.  For example, new Malware GreenDispenser is new breed in ATM's hacking. It provides an attacker the ability to walk up to infected ATM and drain its cash vault.

When installed, GreenDispenser may display an "out of service" message on the ATM. But attackers can drain the ATM’s cash vault and erase GreenDispenser. Hackers don't leave information how the ATM was robbed.

GreenDispenser is similar in functionality to PadPin but has some unique functionality, such as date limited operation and form of two-factor authentication.

We believe that we are seeing the dawn of new criminal industry targeting ATMs!

Artur commented that there are 2 types of ATM's hacking: 1) remote access 2) physical access.

If physical access hackers can just steal ATM on truck, or they can hook ATM on car and so on. In this case, they stolen the whole thing in order to cut ATM in a safety place, to open ATM physically.

We must understand that ATM consists of 2 parts which is hidden by cover. The upperpart is called service area. There are the simple computer and devices for working: card acceptance, fiscal registrar, and so on. This is the brain that controls the ATM.

The lower part is the safe with money. It contains tapes with different denomination of the bill.  When you remove the currency and you hear the buzzing - this is dispenser prepare to give you the necessary bills of different value from the tapes.

There are more technology-based ways to hacking.  Everything is simple. You need only open service area. You can do it by lock pick or use a special service keys. And sometimes you need just push hard on the hatch metal cover of ATM.

Further, the dispenser must switched off from the computer and connected to its prepared computer which gives command to give all banknotes. And that's all that is needed. The attacker can leave the crime scene with all the cash.

Also there are cases when the attacker had access to the internal network of the Bank. And through it attacker infected the equipment of ATMs or remotely taken control over them. With the help of this software he was able to give the same command to the dispenser to give all cash.

Interview with the researcher Arthur Garipov on ATM Hacking:

What are the methods used by attackers to infect the ATM with

I can not give an exact answer to the question. It is necessary to look in detail code of a GreenDispenser.

Methods for infecting of the ATM may be different. It can be simply installation with a regular software and temporary disconnection of the ATM from the network, for the purpose of infection.

For a more detailed answer it is necessary to understand how the ATM interract with processing center.
And what is the system of control and administration of these devices.
Most often, these solutions are vendor-dependent and differ not only between banks, but also between ATMs.

a. Consider the interaction of ATM and processing center.
Most often, the interaction goes through the Internet provider, inside the tunnel (VPN).
It is very problematic to break down the tunnel, to make a fake processing center - is not easy too.
But very often there is an opportunity to turn off VPN, to be in the same network with an ATM, and then Conduct an attack on some ATM service that will lead to RCE (remote code execution).
On the other hand, attackers can attack the processing center itself, and make changes to the system of updates.
In some cases, the ATM system is updated remotely. Through the update server. Sometimes this is a local installation.

b. But most often the installation of malware occurs locally.

An attacker just opens the service area of the ATM. At its core inside it is a regular computer, with an attached ATM peripheral. Next, he can locally install the Trojan.

For such purposes, special guys are hired. Such announcements, with such tasks, can be found in darknet, or in specific forums.

The new version of Ploutus malware "Ploutus-D" targets ATMs using KAL’s Kalignite platform, what are the other latest and popular
platforms targeted by malware?
 I did not have to work with this system (Kalignite). Perhaps there is some specific here. Malware, in general, attacks the security of the operating system. And the platform and API system through which it works can be easily changed from one to another.

APIs for the ATM middleware is not well documented, How the attackers
were able to write malware that interacts with the middleware?
 I will not agree. Documentation on the Internet is at the moment is more than enough. Everything is easy to find in the main search engines. The key to knowing the keywords:
And for practice it's enough ATM.

NDA’s do not protect.

How do you find presence of this malware in ATM machines?
Unfortunately, most often this is the result of the investigation of the incident.
But there are, of course, other approaches.

What are the other security measures needs to be taken in order to
prevent this malware attack?
This is a separate very large topic for discussion. But it is worthwhile to understand that, more often than not, hacking
ATM is "locally". It is for this purpose that a button is installed on the ATMs. Unfortunately, the attackers also know about it.

Do you think hackers and cyber criminals will weaponize ATM malware
like GreenDispenser with a worm like engine(as used by w32 blaster or
w32 funlove)? What happens to the world if w32 blaster carries Green
Dispenser in it?
Such systems should exist. The question is, it will be more difficult to detect.
And the purpose of such systems is a targeted attack. Specific bank, specific billing.