Jackpotting Attacks Are Back - But Banks Can Fight Back

ATM jackpotting is a cybercriminal technique that uses malware to make an ATM dispense large sums of cash without using a credit or debit card, fully bypassing the transaction authorisation processes. 

It has caused huge economical losses to ATM operators worldwide over the past decade, and very recently, in February 2023, the cybersecurity community has been alerted of a new variant of ATM jackpotting malware, called FiXS, that has infected ATMs in Mexico.

FiXS is a new piece of malware, however the techniques and tactics that it uses very much ressemble the ones used by other ATM malware families like Ploutus, Tyupkin, Alice, Ripper, and Cobalt. 

While only detected in Mexico so far, the appearance of FiXS does mean ATM operators need to renew their efforts to prevent these attacks, which are extremely sophisticated. What makes FiXS particularly lethal is its ability to infect multiple ATM vendors and models, thanks to its interaction with the XFS (eXtended Financial Services) middleware, which controls the ATM hardware, including the cash dispenser.

FiXS is packaged in a dropper that masquerades as a common system executable, conhost.exe. The dropper embeds the malware (FiXS.exe), which is extracted and copied to the ATM File System. Using the MSXFS.dll library, the malware can interact with the XFS API and send commands to the ATM hardware like the dispenser. Interaction with FiXS is done via a connected keyboard, which launches the malware GUI to allow the attacker to display information of the cash units and to send dispensing commands.

Understanding The Attack Process – From Infection To Cash Out 

To successfully launch an ATM jackpotting attack, there are four phases from preparation to execution. The attacker first steals a hard disk from a production ATM containing the software stack used by the financial institution to analyse and reverse engineer it to prepare a targeted attack. A full R&D process is conducted, including the development, packaging, and testing of a new malware such as FiXS.

At this point the targeted malware is ready to infect ATMs or ASSTs that are loaded with cash.

This is accomplished by physically accessing the device and manipulating it to copy the malware with the help of external keyboards and USB sticks. The attackers need to make the infection persist in time, which can be achieved by replacing legitimate system executables or by setting autorun keys at startup time.  The persistent malware will then run silently waiting for an activation code. Finally, the attacker activates the malware by entering a code that wakes it up and launches a GUI to dispense cash, which is picked up by the gang. 

Some believe that ATMs running outdated and unsupported operating systems, like Windows XP or Windows 7, are more vulnerable. However, ATM malware like FiXS is highly targeted and does not exploit operating system vulnerabilities but rather design flaws of the ATM software stack, like the lack of authentication in the XFS layer.

While migrating to Windows 10 and keeping patches updated is a good practice, ATMs running  Windows 10 are as vulnerable as the ones running Windows 7 or XP.

The Right Cybersecurity Approach To Protect ATMs

Every organisation operating an ATM network is a potential target for jackpotting attacks, making robust and efficient cybersecurity countermeasures essential. However, the physical accessibility of ATMs and the lack of proactive update policies create an inherently vulnerable environment that makes ATM devices challenging to protect with traditional security technologies.

The Zero Trust protection model assumes that the infrastructure managing ATM and ASST devices will be compromised, and enforces the principle of “never trust, always verify” to prevent ATM jackpotting and other attacks. Zero Trust is based on the drastic reduction of the attack surface and a tight control of hardware and software changes in the ATM.

To design a robust Zero Trust ATM and ASST protection model, it is essential to identify the most critical points. Access to software, hardware, and communications must be continuously verified, only granting access to the minimum set of resources that are legitimate and required for the proper functioning of the device. In addition to that, hardware changes, made by third-party companies with physical access to the ATM, should only be possible in authorised time periods, where a specific security policy that allows modifications is applied. These changes are also subject to total monitoring of technical operations and explicit authorisation.

An effective way to secure ATMs, ASSTs, and other critical devices could be by implementing Lookwise Device Manager (LDM), Auriga’s solution that provides comprehensive layered protection to ATMs at all stages of the attack life-cycle, ensuring full availability of services for customers. LDM is designed based on the knowledge of the ATM infrastructure and the tactics and techniques used by attackers, making it an effective way to secure these critical devices.

In conclusion, the latest ATM jackpotting attack using FiXS shows that banks and other operators of ATMs must design a robust Zero Trust cybersecurity model to protect their ATM and ASST devices. The physical accessibility of ATMs, the lack of proactive update policies, and the critical nature of these devices create an inherently vulnerable environment that makes them difficult to protect with traditional security technologies.

Juan Ramon Aramendia is Head of Cybersecurity Product Engineering at Auriga

You Might Also Read: 

Does Your Business Require PCI DSS Compliance?:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

 

« Britain Pledges To Invest £2.5bn In Quantum Computing
Ferrari Hacked & Ransom Demanded »

CyberSecurity Jobsite
Check Point

Directory of Suppliers

TÜV SÜD Academy UK

TÜV SÜD Academy UK

TÜV SÜD offers expert-led cybersecurity training to help organisations safeguard their operations and data.

ZenGRC

ZenGRC

ZenGRC (formerly Reciprocity) is a leader in the GRC SaaS landscape, offering robust and intuitive products designed to make compliance straightforward and efficient.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

Mellanox Technologies

Mellanox Technologies

Mellanox Technologies is a leading supplier of end-to-end Ethernet and InfiniBand intelligent interconnect solutions and services for servers, storage, and hyper-converged infrastructure.

Exprivia

Exprivia

Exprivia is active in the design, development and integration of IT systems including cyber security.

WiJungle

WiJungle

WiJungle is an Indian Cyber Security Company that develops and markets a unified network security gateway solution.

National Cybersecurity Society (NCSS) - USA

National Cybersecurity Society (NCSS) - USA

The National Cybersecurity Society is a non-profit organization focused on providing cybersecurity education, awareness and advocacy to small businesses.

CYBRScore

CYBRScore

CYBRScore is a premium, performance-based cyber skills training and assessment provider that quantifies a user’s ability to defend a network.

Transmit Security

Transmit Security

The Transmit Security Platform provides a solution for managing identity across applications while maintaining security and usability.

Perygee

Perygee

Perygee is a fully integrated platform for operational security. Companies depend on Perygee to identify and streamline the most important security practices for their operations.

VectorRock

VectorRock

Save Your Business From Cyber Criminals. We specialize in uncovering cyber risks which threaten your organization and fixing them.

Netgo

Netgo

Netgo group meet the requirements of a complex, digitized world with IT consulting, IT solutions & services, managed & cloud services and software products & development.

Cognisys Group

Cognisys Group

Cognisys provides cyber security penetration testing and compliance services from its offices in Leeds and Manchester.

ZX Security

ZX Security

ZX Security is a New Zealand owned and operated cyber security consultancy.

Turk Telekom

Turk Telekom

Turk Telekom is the first integrated telecommunications operator in Turkey.

Colt Technology Services

Colt Technology Services

Colt Technology Services (Colt) is a global digital infrastructure company which creates extraordinary connections to help businesses succeed.

Arista Middle East

Arista Middle East

Arista Middle East is part of Global Arista Technologies specializing in OT Cybersecurity.

Vernetzen

Vernetzen

Vernetzen is an industrial network and cybersecurity innovator focused on delivering practical solutions to connect and secure industry across the globe.

FSP

FSP

FSP is a leading consultancy specialising in Digital, Security and AI solutions. We navigate the complexities of data sensitivity, confidentiality, governance and compliance.