Cash machine hackers are getting better at stealing your money
BY LILY HAY NEWMAN
Sunday 23 August 2020
In the decade since the hacker Barnaby Jack famously made an ATM spit out cash onstage during the 2010 Black Hat security conference in Las Vegas, so-called jackpotting has become a popular criminal pastime, with heists netting tens of millions of dollars around the world. And over time, attackers have become increasingly sophisticated in their methods.
At the recent Black Hat and Defcon security conferences, researchers dug through recent evolutions in ATM hacking. Criminals have increasingly tuned their malware to manipulate even niche proprietary bank software to cash out ATMs, while still incorporating the best of the classics—including uncovering new remote attacks to target specific ATMs.
During Black Hat, Kevin Perlow, the technical threat intelligence team lead at a large, private financial institution, analysed two cash-out tactics that represent different current approaches to jackpotting. One looked at the ATM malware known as INJX_Pure, first seen in spring 2019. INJX_Pure manipulates both the eXtensions for Financial Services (XFS) interface—which supports basic features on an ATM, like running and coordinating the PIN pad, card reader, and cash dispenser—and a bank’s proprietary software together to cause jackpotting.
The original malware samples were uploaded to scanners from Mexico and then later from Colombia, but little is known about the actors using INJX_Pure. The malware is significant, though, because it is tailored to the ATMs of a specific bank, likely in a specific region, indicating that it can be worth it to develop even limited-use or targeted jackpotting malware rather than focusing only on tools that will work around the world.
“It’s common to threat actors in general to use XFS within their ATM malware to get an ATM to do things that it’s not supposed to do, but the INJX_Pure developer’s implementation of it was unique and very specific to particular targets,” says Perlow.
Perlow also looked at FASTCash malware, used in jackpotting campaigns that the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency attributed to North Korean hackers in October 2018. North Korea has used the malware to cash out tens of millions of dollars around the world, which coordinated groups of money mules then collect and launder.
FASTCash targets not the ATMs themselves but a financial card transaction standard known as ISO-8583. The malware infects software running on what are known as “payment switches,” finance infrastructure devices that run systems responsible for tracking and reconciling information from ATMs and responses from banks. By infecting one of these switches rather than attacking an individual ATM, FASTCash attacks can coordinate cash-outs from dozens of ATMs at once.
“If you can do this, then you no longer have to put malware on 500 ATMs,” Perlow says. “That’s the advantage, why it’s so clever.”
The attacks go even further in a controlled lab setting. Researchers at the embedded-device security firm Red Balloon Security detailed two specific vulnerabilities in so-called retail ATMs made by Nautilus Hyosung. These are the kind of ATMs you’d find at a bar or corner store, in contrast to the “financial” ATMs used in banks. The vulnerabilities could have been exploited by an attacker on the same network as a victim ATM to seize control of the device and dispense cash without any physical interaction.
Hyosung, which has more than 140,000 ATMs deployed around the United States, patched the flaws at the beginning of September. But as with many connected devices, there can be a large gap between offering a fix and getting ATM operators to install it. The Red Balloon researchers estimated that as many as 80,000 ATMs in the US were still vulnerable.
“The specific vulnerabilities that we pointed out, Hyosung did a great job at proactively offering fixes for those,” says Ang Cui, Red Balloon’s CEO. “But it really depends on every operator of the vulnerable ATMs to actually patch. I wouldn’t be surprised if the whole world has not pushed out that patch yet.”
The two vulnerabilities were in digital systems used to manage an ATM’s services. In the first, researchers found that the XFS implementation had a flaw that could be exploited with a specially crafted packet to accept commands—like telling the ATM to dispense cash. The other bug in the ATMs’ Remote Management System also led to arbitrary code execution, meaning a full takeover.
“The attacker would get control and could do anything, change settings, but the most impactful thing it can showcase is jackpotting money,” says Brenda So, a research scientist at Red Balloon who presented the work at Defcon along with her colleague Trey Keown.
Nautilus Hyosung emphasised to WIRED that the Red Balloon researchers disclosed their findings in summer 2019 and that the company released firmware updates “to mitigate the possible threats” on September 4. “Hyosung notified all of our commercial customers to immediately update their ATMs with these patches, and we have no reported instances of exposure,” the company said in a statement.
In actual criminal jackpotting, hackers can often simply use physical attacks or exploit an ATM’s digital interfaces by inserting a malicious USB stick or SD card into an unsecured port. But remote attacks like the ones Red Balloon showcased are also increasingly common and ingenious.
Though all software has bugs, and no computer is perfectly secure, the ubiquity of criminal jackpotting and relative ease of finding vulnerabilities in the global financial system to accomplish it still seems to indicate a lack of innovation in ATM defense.
“What has fundamentally changed between when Barnaby Jack presented and now?” Red Balloon’s Cui says. “The same types of attacks that would have worked against laptops and laptop operating systems 15 years ago largely wouldn’t work now. We’ve leveled up. So why is it that the machine that holds the money has not evolved? That’s incredible to me.”
This story was originally published on WIRED US