• Trend Micro
  • About TrendLabs Security Intelligence Blog
Search:
  • Home
  • Categories
    • Ransomware
    • Vulnerabilities
    • Exploits
    • Targeted Attacks
    • Deep Web
    • Mobile
    • Internet of Things
    • Malware
    • Bad Sites
    • Spam
    • Botnets
    • Social
    • Open source
Home   »   Malware   »   An Elaborate ATM Threat Crops Up: Network-based ATM Malware Attacks

An Elaborate ATM Threat Crops Up: Network-based ATM Malware Attacks

  • Posted on:September 26, 2017 at 5:00 am
  • Posted in:Malware
  • Author:
    Trend Micro Forward-Looking Threat Research Team
0

by David Sancho and Numaan Huq (Trend Micro Forward-Looking Threat Research Team), Massimiliano Michenzi (Europol EC3)

Infecting automated teller machines (ATMs) with malware is nothing new. It’s concerning, yes. But new? Not really. We’ve been seeing physical attacks against ATMs since 2009. By physical, we mean opening the target machine’s casing, accessing the motherboard and connecting USB drives or CD-ROMs in order to infect the operating system. Once infected, the ATM is at the attackers’ mercy, which normally means that they are able to empty the money cassettes and walk away with fully loaded wallets. In 2016, we released a joint paper with Europol’s European Cybercrime Centre (EC3) that discussed the shift from physical to digital means of emptying an ATM and described the different ATM malware families that had been seen in the wild by then.

What has happened since? On top of many more malware families entering the landscape – something that was expected in these cases – there is one new development we forecast that unfortunately has come to pass: Attackers have started infecting ATMs with malware through the network. Five distinct incidents of network-based ATM malware attacks have already been reported in the media, and we believe this to be significant because it shows how cybercriminals have had ATMs firmly in their crosshairs.

As with physical ATM malware attacks, stealing cold, hard cash isn’t the sole objective of cybercrooks in targeting ATMs through the network. Looking to squeeze out their victims for as much as possible, these criminals could also compromise bank customer data and subsequently steal money in the form of ones and zeroes — making the malware act like a virtual skimming device.

A Stealthier Way in – Attacking Through the Network

Gaining access to banks’ networks and successfully installing ATM malware would mean that criminals don’t have to go to the machines anymore. They simply have money mules on-site and at the ready to collect the money for them and go.

However, network infections require more work and technical knowledge on the attackers’ side, compared with the more common approach of gaining physical access to ATMs. The complication lies in actually being able to access the ATM network from the main bank’s network.

In a well-planned network architecture, the ATM network and the bank’s main network should be separated. This way, having access to one would not mean gaining admission to the other network. Having access to both networks would ideally involve bypassing firewalls and other security protocols in place.

Unfortunately, not all banks implement network segmentation. Some reported incidents have even demonstrated how, despite the two networks being separated, criminals could establish a solid foothold in a bank’s main network and use it to install malware on the bank’s ATMs.

Figure 1. How a typical network-based ATM malware attack is carried out

Figure 1. How a typical network-based ATM malware attack is carried out

Based on our observation of the different known network-based attacks, criminals infiltrate banks’ networks through ways as simple as sending phishing emails to bank employees. Once in, they perform lateral movement to identify and access subnetworks, including the ATMs.

One of the most noteworthy network-based attacks involves Ripper, the first known ATM malware that uses the network as an infection vector. Targeting ATMs made by three of the major ATM manufacturers, the malware was responsible for the attacks against thousands of ATMs in Thailand in 2016. Ripper has jackpotting capabilities, allowing it to dispense cash from ATMs in large quantities to the point of emptying the machines. Another insidious feature of this malware is that it can self-destruct, removing any incriminating traces of its activity in the operating environment and making post-infection forensics difficult.

To explain this topic in detail and give our readers an overview of the kinds of ATM malware in existence, we have written with Europol’s EC3 an updated comprehensive paper on physical and network-based malware attacks against cash machines. It can be publicly downloaded here: Cashing in on ATM Malware: A Comprehensive Look at Various Attack Types.

It is also worth mentioning that there is a more detailed version of the paper, which includes technical appendices and a defense section on how to secure ATMs, made exclusively for members of the law enforcement and financial sectors. If you belong to either of those, make sure to request it through publicrelations@trendmicro.com.

Learn how to protect Enterprises, Small Businesses, and Home Users from ransomware:
ENTERPRISE »
SMALL BUSINESS»
HOME»
Tags: ATM malwareATM networkRipper

Security Predictions for 2020

  • Cybersecurity in 2020 will be viewed through many lenses — from differing attacker motivations and cybercriminal arsenal to technological developments and global threat intelligence — only so defenders can keep up with the broad range of threats.
    Read our security predictions for 2020.

Business Process Compromise

  • Attackers are starting to invest in long-term operations that target specific processes enterprises rely on. They scout for vulnerable practices, susceptible systems and operational loopholes that they can leverage or abuse. To learn more, read our Security 101: Business Process Compromise.

Recent Posts

  • Our New Blog
  • How Unsecure gRPC Implementations Can Compromise APIs, Applications
  • XCSSET Mac Malware: Infects Xcode Projects, Performs UXSS Attack on Safari, Other Browsers, Leverages Zero-day Exploits
  • August Patch Tuesday Fixes Critical IE, Important Windows Vulnerabilities Exploited in the Wild
  • Water Nue Phishing Campaign Targets C-Suite’s Office 365 Accounts

Popular Posts

Sorry. No data so far.

Stay Updated

  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © Trend Micro Incorporated. All rights reserved.