Jackpotting Attacks Are Back - But Banks Can Fight Back

ATM jackpotting is a cybercriminal technique that uses malware to make an ATM dispense large sums of cash without using a credit or debit card, fully bypassing the transaction authorisation processes. 

It has caused huge economical losses to ATM operators worldwide over the past decade, and very recently, in February 2023, the cybersecurity community has been alerted of a new variant of ATM jackpotting malware, called FiXS, that has infected ATMs in Mexico.

FiXS is a new piece of malware, however the techniques and tactics that it uses very much ressemble the ones used by other ATM malware families like Ploutus, Tyupkin, Alice, Ripper, and Cobalt. 

While only detected in Mexico so far, the appearance of FiXS does mean ATM operators need to renew their efforts to prevent these attacks, which are extremely sophisticated. What makes FiXS particularly lethal is its ability to infect multiple ATM vendors and models, thanks to its interaction with the XFS (eXtended Financial Services) middleware, which controls the ATM hardware, including the cash dispenser.

FiXS is packaged in a dropper that masquerades as a common system executable, conhost.exe. The dropper embeds the malware (FiXS.exe), which is extracted and copied to the ATM File System. Using the MSXFS.dll library, the malware can interact with the XFS API and send commands to the ATM hardware like the dispenser. Interaction with FiXS is done via a connected keyboard, which launches the malware GUI to allow the attacker to display information of the cash units and to send dispensing commands.

Understanding The Attack Process – From Infection To Cash Out 

To successfully launch an ATM jackpotting attack, there are four phases from preparation to execution. The attacker first steals a hard disk from a production ATM containing the software stack used by the financial institution to analyse and reverse engineer it to prepare a targeted attack. A full R&D process is conducted, including the development, packaging, and testing of a new malware such as FiXS.

At this point the targeted malware is ready to infect ATMs or ASSTs that are loaded with cash.

This is accomplished by physically accessing the device and manipulating it to copy the malware with the help of external keyboards and USB sticks. The attackers need to make the infection persist in time, which can be achieved by replacing legitimate system executables or by setting autorun keys at startup time.  The persistent malware will then run silently waiting for an activation code. Finally, the attacker activates the malware by entering a code that wakes it up and launches a GUI to dispense cash, which is picked up by the gang. 

Some believe that ATMs running outdated and unsupported operating systems, like Windows XP or Windows 7, are more vulnerable. However, ATM malware like FiXS is highly targeted and does not exploit operating system vulnerabilities but rather design flaws of the ATM software stack, like the lack of authentication in the XFS layer.

While migrating to Windows 10 and keeping patches updated is a good practice, ATMs running  Windows 10 are as vulnerable as the ones running Windows 7 or XP.

The Right Cybersecurity Approach To Protect ATMs

Every organisation operating an ATM network is a potential target for jackpotting attacks, making robust and efficient cybersecurity countermeasures essential. However, the physical accessibility of ATMs and the lack of proactive update policies create an inherently vulnerable environment that makes ATM devices challenging to protect with traditional security technologies.

The Zero Trust protection model assumes that the infrastructure managing ATM and ASST devices will be compromised, and enforces the principle of “never trust, always verify” to prevent ATM jackpotting and other attacks. Zero Trust is based on the drastic reduction of the attack surface and a tight control of hardware and software changes in the ATM.

To design a robust Zero Trust ATM and ASST protection model, it is essential to identify the most critical points. Access to software, hardware, and communications must be continuously verified, only granting access to the minimum set of resources that are legitimate and required for the proper functioning of the device. In addition to that, hardware changes, made by third-party companies with physical access to the ATM, should only be possible in authorised time periods, where a specific security policy that allows modifications is applied. These changes are also subject to total monitoring of technical operations and explicit authorisation.

An effective way to secure ATMs, ASSTs, and other critical devices could be by implementing Lookwise Device Manager (LDM), Auriga’s solution that provides comprehensive layered protection to ATMs at all stages of the attack life-cycle, ensuring full availability of services for customers. LDM is designed based on the knowledge of the ATM infrastructure and the tactics and techniques used by attackers, making it an effective way to secure these critical devices.

In conclusion, the latest ATM jackpotting attack using FiXS shows that banks and other operators of ATMs must design a robust Zero Trust cybersecurity model to protect their ATM and ASST devices. The physical accessibility of ATMs, the lack of proactive update policies, and the critical nature of these devices create an inherently vulnerable environment that makes them difficult to protect with traditional security technologies.

Juan Ramon Aramendia is Head of Cybersecurity Product Engineering at Auriga

You Might Also Read: 

Does Your Business Require PCI DSS Compliance?:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

 

« Britain Pledges To Invest £2.5bn In Quantum Computing
Ferrari Hacked & Ransom Demanded »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

Radisys

Radisys

Radisys offers software, products, integrated systems, and professional services for communication service providers and telecom solution vendors.

TNO Cyber Security Lab

TNO Cyber Security Lab

TNO Cyber Security Lab is a dedicated facility for innovative and experimental research with the goal of a safe and resilient cyberspace.

Electus Recruitment Solutions

Electus Recruitment Solutions

Electus is a leading recruitment specialist in the Engineering, Technology & Digital and Cyber & Security sectors.

Beta Systems Software

Beta Systems Software

Beta Systems automate IT-based business processes, control access rights, monitor processes, secure the network and optimize the infrastructure management of corporate IT.

BehavioSec

BehavioSec

BehavioSec uses the way your customers type, swipe, and hold their devices, and enables them to authenticate themselves through their own behavior patterns.

PSW Group

PSW Group

PSW Group is a full-service Internet solutions provider with a special focus on Internet security.

Cansure

Cansure

Cansure is a leading insurance provider in Canada offering a broad range of property & casualty insurance solutions including Cyber & Data Breach insurance.

Innovative Solutions (IS)

Innovative Solutions (IS)

Innovative Solutions is a specialized professional services company delivering Information Security products and solutions for Saudi Arabia and the Gulf region.

Yelbridges

Yelbridges

Yelbridges is your reliable partner in all fields of IT-Security, from developing of Security Policies and Guidelines to the design and implementation of secure processes.

HARMAN International

HARMAN International

HARMAN designs and engineers connected products and solutions for automakers, consumers, and enterprises worldwide.

M2MD Technologies

M2MD Technologies

M2MD Technologies offers solutions optimized for cellular IoT that provide stronger security, reduced costs, enhanced user experience, and ultimately generates higher returns for stakeholders.

Buchbinder Information Technology Solutions

Buchbinder Information Technology Solutions

Buchbinder Tunick & Company is a premier CPA and advisory firm offering a broad range of assurance, tax, business consulting and IT consulting services.

Fluid Attacks

Fluid Attacks

Fluid Attacks specialize in red team operations as well as technology development that continuously enhance our security testing services.

HiScout

HiScout

HiScout is your integrated management system for IT governance, risk & compliance.

CrossCountry Consulting

CrossCountry Consulting

CrossCountry Consulting is a trusted business advisory firm that provides customized finance, accounting, human capital management, risk, operations and technology consulting services.

Web3fied

Web3fied

Web3fied is a seed stage company building the future of decentralized digital identity and credentials management.