© Copyright GMV 2018

All rights reserved

ATM JACKPOTTINGADAPTING TO THE FUTURE OF MALWARE

ATM & PAYMENTS INNOVATION SUMMIT 2018

Juan Jesús León - GMV

INTRODUCTIONA

TM

JA

CK

PO

TTIN

G -

AD

AP

TIN

G T

O

TH

E F

UTU

RE O

F M

ALW

AR

E

© Copyright GMV 2018. All rights reserved

WH

O I

S G

MV A global high tech technology group

Leader ATM logical Security vendor

• CHECKER ATM SECURITY

• Deployed in 35 countries and 150,000+ ATMs

www.gmv.com

© Copyright GMV 2018. All rights reserved

CMMI level 5Multinational technology

group

Founded in

1984

Private capital

Headquarters in Spain (Madrid)

Subsidiaries in 11 countries

1,600employees

Roots tied to Space

Aeronautics, Space, Defense, Security, Transportation, Healthcare, Banking & finances, and ICT industries

160M€worldwide revenue

TO

DA

Y W

E W

ILL

ADDRESS…

ATM cyber threats and protections

• Malware, Black-box and Network intrusions

• State-of-the-art protections

ATM cyber attacks today

• The “comfort zone”

• The “war zone”

Adapting to the future

EAST FCS Seminar 2018

© Copyright GMV 2018. All rights reserved

ATM CYBER THREATS & PROTECTIONS

ATM

JA

CK

PO

TTIN

G -

AD

AP

TIN

G T

O

TH

E F

UTU

RE O

F M

ALW

AR

E

© Copyright GMV 2018. All rights reserved

ATM

CY

BER

TH

REA

TS

Malware

Attack

Black Box

Attack

© Copyright GMV 2018. All rights reserved

Network

Intrusion

Jackpotting

On the rise

ATM

CY

BER

TH

REA

TS

© Copyright GMV 2018. All rights reserved

Jackpotting ≡ cash-out

Malware vs BlackBox Malware requires bypassing the protection of the ATM software stack to run malware on the actual ATM PC as it is already trusted by the dispenser

BlackBox means BYOD with all necessary tools to dispense, but requires re-pairingthe fraudster’s PC with the dispenser

Network attacksPenetrate the bank network to eventually reach the ATM network: It is likeconquering the fortress just to access the safe

OPTIONS: Using Insiders, infecting from external systems, use criminal organization hacking Resources, use availableATM software to remotely commandcash outs

ATM

CY

BER

PR

OTEC

TIO

N

© Copyright GMV 2018. All rights reserved

A_Windowshardening

• Remove unnecessaryapplications, services & components

• Remove unnecessaryusers, accounts & privileges

• Reasonable OS patchingpolicy in place

B_CyberProtection

• Whitelisting

• Integrity control

• Device control

• Hard disk encryption

• Integrated Firewall

• Security Event monitoring

• Surveillance cameras

C_DispenserProtection

• Dispenser mustauthenticate all PC commands

• Re-pairing requires secureaccess (eg Safe)

• Strict Dispenser Firmware patching Policy in place

ATM CYBERATTACKS

TODAY

ATM

JA

CK

PO

TTIN

G -

AD

AP

TIN

G T

O

TH

E F

UTU

RE O

F M

ALW

AR

E

© Copyright GMV 2018. All rights reserved

CO

MFO

RT Z

ON

E v

s.

WA

R Z

ON

E

Comfort zone War zoneRisk zone

TH

E C

OM

FO

RT Z

ON

E

TypicalAttack

• Infect withmalware using a USB pendrive

• Run malware using keyboard

• Disable defensesif needed

TypicalProtection

• Disableuntrusted USB

• Avoid unknownprograms to run

• Disablekeyboards

• Watch for offline

TypicalVulnerability

•No active protection•Incomplete

security policies•Lenient securitypolicies

© Copyright GMV 2018. All rights reserved

MALWARE ATTACK – COMFORT ZONE

TH

E C

OM

FO

RT Z

ON

E

TypicalAttack

• Open top box orhole in fascia

• ConnectblackBox to dispenser

• Re-pair ifconnection isencrypted

• Downgradedispenserfirmware ifneeded

TypicalProtection

• EncryptionbetweenDispenser and PC

• Common key usedto authenticate PC to dispenser

• Patch dispenserfirmware regularly

TypicalVulnerability

•None or limitedencryption•Low protection

level (Logical)•Vulnerable re-pairing procedure

© Copyright GMV 2018. All rights reserved

BLACKBOX ATTACK – COMFORT ZONE

TH

E C

OM

FO

RT Z

ON

E

TypicalAttack

• Insider takescontrol of SW distributionserver and SW cyberprotectionserver

TypicalProtection

• Segregated ATM network

• Active securitymonitoring

• Segregation of duties

TypicalVulnerability

•Inadequatepersonnelscreening

•Inadequateprocedural controls

© Copyright GMV 2018. All rights reserved

NETWORK INTRUSION– RISK ZONE

ENTER THE WAR ZONEW

AR

ZO

NE

EX

CLU

SIV

ES

!!

© Copyright GMV 2018. All rights reserved

© Copyright GMV 2018. All rights reserved

WA

R Z

ON

E E

XC

LU

SIV

E 1

: R

EFIN

ED

IN

FEC

TIO

NNetwork based storage Use a micro-PC with attached network storage

Connect to the ATM network via RJ45 and enable file sharing (SMB, NetBIOS…)

Abuse Windows featuresAn example is WPD – Windows Portable Devices, a plug&play feature for devicessuch as cameras, phones,…that automatically loads drivers and device files into PC

A complete Windows hardening is a very complex task

BYPASS USB PROTECTION

LATTEPANDA INTEL NUC

© Copyright GMV 2018. All rights reserved

Keyboard emulator Execute complex commands emulating a keyboard with preprogammed keystrokes in order to command cash out

Typically Arduino based

Takes advantage of general purpose tools cmd.exe, regedit.exe, explorer.exe… in ATM PC

BYPASS WHITELISTINGW

AR

ZO

NE E

XC

LU

SIV

E 2

: R

EFIN

ED

EX

EC

UTIO

N

© Copyright GMV 2018. All rights reserved

Endoscope attackThe cover of the cash dispense shutter is unscrewed and damaged

An endoscope with magnet or knob on its tip is inserted through the damaged shutter.

Tip of endoscope touches sensor or pushes button or toggle, depending on model, so as to trick the ATM into believing that vault is open

The Black Box can then be paired with the dispenser

Firmware downgradeSo that physical access to safe is no longer required to re-pair

Presentation at BlackHat USA 2018. Patch available from manufacturer.

RE-PAIRING BLACK BOXESW

AR

ZO

NE E

XC

LU

SIV

E 3

: R

EFIN

ED

SE

CU

RITY

BY

PA

SS

© Copyright GMV 2018. All rights reserved

Hack the Bank!Sophisticated intrusion into Bank’s network, typically by resourceful criminal organization

Escalate and move into network until all necessary servers are under control.

Remotely command cash-outs coordinated with mules. No specific ATM malware is required.

NETWORK INTRUSIONW

AR

ZO

NE E

XC

LU

SIV

E 4

: R

EFIN

ED

IN

TR

US

IO

N

(Source: TrendLabs: Cashing in on ATM Malware

© Copyright GMV 2018. All rights reserved

Preventing forensic analysisA good understanding of the attack is mandatory to understand how to protect

When crooks find a new way to insert and/or execute malware they take theirtime to ensure all traces are deleted after the attack

They definitely know how to do this

CROOKS KEEP ONE STEP AHEADW

AR

ZO

NE E

XC

LU

SIV

E 5

: R

EFIN

ED

HO

US

EK

EE

PIN

G

ADAPTING TO THE FUTURE

© Copyright GMV 2018. All rights reserved

ATM

JA

CK

PO

TTIN

G -

AD

AP

TIN

G T

O

TH

E F

UTU

RE O

F M

ALW

AR

E

© Copyright GMV 2018. All rights reserved

WA

R Z

ON

E:

LES

SO

NS

LEA

RN

T Today ATMs can be reasonably but

not perfectly protected.

Most relevant, efficient operation of an ATM network requires someleniency in the security policies, e.g.:

Allow USBs and administrative/diagnosis toolsused for on-site support.

Allow network file sharing and other remote

services used for remote support.

Actually, the needs for protection and efficient operation involve a trade-off.

Attackers are taking advantage of the fact thatprotection must coexist with dynamic operations

© Copyright GMV 2018. All rights reserved

BEH

AV

IO

UR

AN

ALY

SIS

In the real world malware will enterthrough any security breach. We needa final barrier.

ATMs are quite stable executionenvironments. Good candidates forbehaviour analysis.

ATM transactions workflow are specially stable. Even better candidates.

Jackpotting involves strong anomaliesin ATM behaviour. Detection of thatanomalies is the key.

ATM network complexity challenge: manufacturers, models, operating systems and applications, could make behaviour analysis non-viable

Malware is in the ATM. But not everything is lost!

© Copyright GMV 2018. All rights reserved

XFS

BEH

AV

IO

UR

AN

ALY

SIS

XFS provides a common API for accessing and manipulating various financial services devices regardless of the manufacturer.

Mitigates to some extent thechallenge resulting from large ATM networks complexity.

Multivendor solution by design.

Every XFS request can be analyzed and filtered.

Symbiotic relationship with a whitelisting solution. Togetherthey are stronger.

XFS: standard layer for ATM real-time anomaly detection

XFS Manager

XFS APIs

XFS SPIs

ATM Application

Malware

Service providers

XFS Filter 24/01/17 16:36:56 INIT TRANSACTION

24/01/17 16:36:56 CARD EMV: ************3688

24/01/17 16:37:02 VALIDATE TRANSACTION.

24/01/17 16:37:16 ASK PIN.

24/01/17 16:37:19 ASK PIN FINISHED.

24/01/17 16:37:19 PIN BLOCK.

24/01/17 16:37:20 PIN BLOCK FINISHED.

24/01/17 16:37:20 VALIDATE TRANSACTION.

24/01/17 16:37:20 COORDINATION NUMBER SENT: 9

24/01/17 16:37:20 BUFFERAMOUNT: 00000050

24/01/17 16:37:21 TRANSACTION REQUEST: AABB AA

24/01/17 16:37:25 HOST ANSWER. STATUS: A12. FUNCTION: U

24/01/17 16:37:25 TRANSACTION CURRENCY CODE: 0484.

24/01/17 16:37:25 TRANSACTION EXPONENT: 02.

24/01/17 16:37:25 TRANSACTION TYPE: 01.

24/01/17 16:37:25 TRANSACTION CATEGORY CODE: 5A.

24/01/17 16:37:26 OBTAINING PIN TRY COUNTER: 9F170105

24/01/17 16:37:26 READING INTERNATIONAL CVM [VD]

24/01/17 16:37:26 READING INTERNATIONAL IACS [VD]

24/01/17 16:37:26 FINISH PROCESS EMV RESPONSE.

24/01/17 16:37:26 HOST ANSWER. STATUS: 426 FUNCTION: 2

24/01/17 16:37:26 NOTE DISPENSE: 01000000

24/01/17 16:37:36 NOTES PRESENTED

24/01/17 16:37:46 NOTES EXTRACTED

24/01/17 16:37:51 COMMAND EJECT CARD.

24/01/17 16:37:53 COMMAND EJECT CARD FINISHED.

24/01/17 16:37:54 CARD EXTRACTED

24/01/17 16:37:54 END TRANSACTION

KE

EP

YO

UR

SELF I

NFO

RM

ED

!

Thank you!jjleon@gmv.com

New version available soon!

© Copyright GMV 2018. All rights reserved