Jackpotting Attacks Are Back - But Banks Can Fight Back

ATM jackpotting is a cybercriminal technique that uses malware to make an ATM dispense large sums of cash without using a credit or debit card, fully bypassing the transaction authorisation processes. 

It has caused huge economical losses to ATM operators worldwide over the past decade, and very recently, in February 2023, the cybersecurity community has been alerted of a new variant of ATM jackpotting malware, called FiXS, that has infected ATMs in Mexico.

FiXS is a new piece of malware, however the techniques and tactics that it uses very much ressemble the ones used by other ATM malware families like Ploutus, Tyupkin, Alice, Ripper, and Cobalt. 

While only detected in Mexico so far, the appearance of FiXS does mean ATM operators need to renew their efforts to prevent these attacks, which are extremely sophisticated. What makes FiXS particularly lethal is its ability to infect multiple ATM vendors and models, thanks to its interaction with the XFS (eXtended Financial Services) middleware, which controls the ATM hardware, including the cash dispenser.

FiXS is packaged in a dropper that masquerades as a common system executable, conhost.exe. The dropper embeds the malware (FiXS.exe), which is extracted and copied to the ATM File System. Using the MSXFS.dll library, the malware can interact with the XFS API and send commands to the ATM hardware like the dispenser. Interaction with FiXS is done via a connected keyboard, which launches the malware GUI to allow the attacker to display information of the cash units and to send dispensing commands.

Understanding The Attack Process – From Infection To Cash Out 

To successfully launch an ATM jackpotting attack, there are four phases from preparation to execution. The attacker first steals a hard disk from a production ATM containing the software stack used by the financial institution to analyse and reverse engineer it to prepare a targeted attack. A full R&D process is conducted, including the development, packaging, and testing of a new malware such as FiXS.

At this point the targeted malware is ready to infect ATMs or ASSTs that are loaded with cash.

This is accomplished by physically accessing the device and manipulating it to copy the malware with the help of external keyboards and USB sticks. The attackers need to make the infection persist in time, which can be achieved by replacing legitimate system executables or by setting autorun keys at startup time.  The persistent malware will then run silently waiting for an activation code. Finally, the attacker activates the malware by entering a code that wakes it up and launches a GUI to dispense cash, which is picked up by the gang. 

Some believe that ATMs running outdated and unsupported operating systems, like Windows XP or Windows 7, are more vulnerable. However, ATM malware like FiXS is highly targeted and does not exploit operating system vulnerabilities but rather design flaws of the ATM software stack, like the lack of authentication in the XFS layer.

While migrating to Windows 10 and keeping patches updated is a good practice, ATMs running  Windows 10 are as vulnerable as the ones running Windows 7 or XP.

The Right Cybersecurity Approach To Protect ATMs

Every organisation operating an ATM network is a potential target for jackpotting attacks, making robust and efficient cybersecurity countermeasures essential. However, the physical accessibility of ATMs and the lack of proactive update policies create an inherently vulnerable environment that makes ATM devices challenging to protect with traditional security technologies.

The Zero Trust protection model assumes that the infrastructure managing ATM and ASST devices will be compromised, and enforces the principle of “never trust, always verify” to prevent ATM jackpotting and other attacks. Zero Trust is based on the drastic reduction of the attack surface and a tight control of hardware and software changes in the ATM.

To design a robust Zero Trust ATM and ASST protection model, it is essential to identify the most critical points. Access to software, hardware, and communications must be continuously verified, only granting access to the minimum set of resources that are legitimate and required for the proper functioning of the device. In addition to that, hardware changes, made by third-party companies with physical access to the ATM, should only be possible in authorised time periods, where a specific security policy that allows modifications is applied. These changes are also subject to total monitoring of technical operations and explicit authorisation.

An effective way to secure ATMs, ASSTs, and other critical devices could be by implementing Lookwise Device Manager (LDM), Auriga’s solution that provides comprehensive layered protection to ATMs at all stages of the attack life-cycle, ensuring full availability of services for customers. LDM is designed based on the knowledge of the ATM infrastructure and the tactics and techniques used by attackers, making it an effective way to secure these critical devices.

In conclusion, the latest ATM jackpotting attack using FiXS shows that banks and other operators of ATMs must design a robust Zero Trust cybersecurity model to protect their ATM and ASST devices. The physical accessibility of ATMs, the lack of proactive update policies, and the critical nature of these devices create an inherently vulnerable environment that makes them difficult to protect with traditional security technologies.

Juan Ramon Aramendia is Head of Cybersecurity Product Engineering at Auriga

You Might Also Read: 

Does Your Business Require PCI DSS Compliance?:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

 

« Britain Pledges To Invest £2.5bn In Quantum Computing
Ferrari Hacked & Ransom Demanded »

CyberSecurity Jobsite
Check Point

Directory of Suppliers

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

Identiv

Identiv

Identiv is a global security technology company that establishes trust in the connected world, including premises, information and everyday items.

Tanium

Tanium

Tanium delivers Autonomous Endpoint Management (AEM) with the industry’s only true real-time platform for AI.

NUS-Singtel Cyber Security R&D Lab

NUS-Singtel Cyber Security R&D Lab

NUS-Singtel Cyber Security R&D Lab conducts research into predictive security analytics.

CLUSIL

CLUSIL

CLUSIL is an association for the information security industry in Luxembourg.

D-Fence

D-Fence

D-Fence high availability security service protects corporate email communication, the company and it's employee's against cyber threats.

CyberDefcon

CyberDefcon

CyberDefcon is an independent organization dedicated to the pursuit of making the internet a safer place.

Valtori

Valtori

Government ICT Centre Valtori provides sector-independent ICT services for the central government, while taking into account the special requirements related to security and preparedness.

certSIGN

certSIGN

certSIGN develop innovative software for information security and information systems protection.

Cyber Tec Security

Cyber Tec Security

Cyber Tec Security is an IASME Certification Body for Cyber Essentials basic/Plus. We also provide ongoing Managed Security Services.

Startup Wise Guys

Startup Wise Guys

Startup Wise Guys is a mentorship-driven accelerator program for early stage B2B SaaS, Fintech, Cybersecurity & Defense AI startups.

Meditology

Meditology

Meditology Services is a top-ranked provider of information risk management, cybersecurity, privacy, and regulatory compliance consulting services exclusively for healthcare organizations.

Etisalat and (e&)

Etisalat and (e&)

Etisalat Group is one of the world’s leading telecom groups in emerging markets.

SpiderOak

SpiderOak

SpiderOak's portfolio of Secure Communication & Collaboration products ensure the confidentiality, integrity, and availability of your most sensitive data in any environment.

One82

One82

Serving emerging small and medium-sized businesses in California and neighboring regions for over 20 years, One82 has established itself as the most dependable provider of IT support services.

Strata Information Group (SIG)

Strata Information Group (SIG)

Strata Information Group (SIG) is a trusted partner in IT solutions and consulting services.

Walacor

Walacor

Walacor’s secure data platform represents the next generation of secure data and blockchain storage with a trust-first approach that revolutionizes enterprise data, and database management systems.