ATM hackers switch to network-based attacks

More and more attacks against ATMs are network-based, Trend Micro researchers have found.

Since the discovery of the first ATM malware back in 2009, criminals have concentrated on opening the ATM’s case and accessing the machine’s internals to boot the malware up from an external USB or CD. But lately, as banks have ramped up efforts to protect the machines from physical attacks, criminals have begun switching infection vectors.

ATM network-based attacks

“Network infections require more work and planning on the side of the attacker, with the difficulty lying in the challenge of accessing the ATM network from the main bank’s network,” the researchers explained in a recently released whitepaper, compiled jointly with Europol’s European Cybercrime Centre (EC3).

“In a well-planned network architecture, these two should be separated and accessing one from the other should involve bypassing rewalls and possibly other security elements. Sadly, some banks do not have this network separation. Even if the two are segregated, in some known incidents, the criminals have managed to attain such a tight foothold on the bank’s network that they were able to install software on the ATMs from the main network.”

Attack methods and malware capabilities

Attackers compromising ATMs are primarily after money, and have money mules ready to collect it directly from the compromised machines. Their second objective is logging payment card data, to be misused at a later date or sold to other crooks.

Some malware can do both: force the ATM to dispense cash, and collect payment card data.

The researchers have outlined the characteristics of a number of older and newer ATM malware variants – their capabilities, limitations, built-in security controls, and their various targets (machines by different manufacturers).

They’ve also covered five attacks uncovered in the last few years, which involved the compromise of financial institutions’ networks. These include the ones perpetrated by the Anunak/Carbanak gang, who were after more than just money from ATMs, and Cobalt (Strike) hackers.

ATM network-based attacks

“The criminals hack into the bank’s corporate network through ways as simple as phishing emails directed at the bank’s employees. This is by no means the only way to accomplish such a hack but it is the easiest and therefore the most common one,” the researchers noted.

“Once the criminals have established a solid foothold into the bank’s network, they then go on to perform lateral movement to identify and access other sub-networks, including the ATMs. Normally, banks have a clear separation between their corporate network and that of the ATMs, with separate routing and rewalls or other defenses. Some banks do have a at network, thus making the hackers’ lives much easier, but these tend to be a lot rarer.”

More often than not, these network attacks are quite sophisticated and complex, as shown by an illustration of the July 2016 attacks against the Taiwanese First Commercial Bank:

OPIS

The attackers

Pinpointing the groups behind each of these heists is difficult, especially because many of these criminal gangs also resell the malware they use.

But, based on all the collected information, the researchers have made some educated guesses regarding their general location (Russia, Eastern Europe, South America).

It’s interesting to note, though, that these group seem to avoid targeting ATMs in the US and Canada.

“This is perhaps because of cybercriminals thinking that they are less likely to get caught by prominent law enforcement agencies if they stay away from attacking bigger countries. However, with amateur to highly skilled cybercriminals continuing to develop, sell, and use ATM malware in the underground, we believe it is only a matter of time before we see attacks in those regions,” the researchers noted.

All in all, the whitepaper is an interesting read, although law enforcement authorities, financial institutions and the IT security industry should contact Trend Micro for another, limited-release version of the paper which provides greater detail on how to harden ATM and network systems and prevent future attacks.