Jackpotting Attacks Are Back - But Banks Can Fight Back

Uploaded on 2023-03-22 in TECHNOLOGY--Resilience, NEWS-News Analysis, FREE TO VIEW, BUSINESS-Services-Financial

ATM jackpotting is a cybercriminal technique that uses malware to make an ATM dispense large sums of cash without using a credit or debit card, fully bypassing the transaction authorisation processes. 

It has caused huge economical losses to ATM operators worldwide over the past decade, and very recently, in February 2023, the cybersecurity community has been alerted of a new variant of ATM jackpotting malware, called FiXS, that has infected ATMs in Mexico.

FiXS is a new piece of malware, however the techniques and tactics that it uses very much ressemble the ones used by other ATM malware families like Ploutus, Tyupkin, Alice, Ripper, and Cobalt. 

While only detected in Mexico so far, the appearance of FiXS does mean ATM operators need to renew their efforts to prevent these attacks, which are extremely sophisticated. What makes FiXS particularly lethal is its ability to infect multiple ATM vendors and models, thanks to its interaction with the XFS (eXtended Financial Services) middleware, which controls the ATM hardware, including the cash dispenser.

FiXS is packaged in a dropper that masquerades as a common system executable, conhost.exe. The dropper embeds the malware (FiXS.exe), which is extracted and copied to the ATM File System. Using the MSXFS.dll library, the malware can interact with the XFS API and send commands to the ATM hardware like the dispenser. Interaction with FiXS is done via a connected keyboard, which launches the malware GUI to allow the attacker to display information of the cash units and to send dispensing commands.

Understanding The Attack Process – From Infection To Cash Out 

To successfully launch an ATM jackpotting attack, there are four phases from preparation to execution. The attacker first steals a hard disk from a production ATM containing the software stack used by the financial institution to analyse and reverse engineer it to prepare a targeted attack. A full R&D process is conducted, including the development, packaging, and testing of a new malware such as FiXS.

At this point the targeted malware is ready to infect ATMs or ASSTs that are loaded with cash.

This is accomplished by physically accessing the device and manipulating it to copy the malware with the help of external keyboards and USB sticks. The attackers need to make the infection persist in time, which can be achieved by replacing legitimate system executables or by setting autorun keys at startup time.  The persistent malware will then run silently waiting for an activation code. Finally, the attacker activates the malware by entering a code that wakes it up and launches a GUI to dispense cash, which is picked up by the gang. 

Some believe that ATMs running outdated and unsupported operating systems, like Windows XP or Windows 7, are more vulnerable. However, ATM malware like FiXS is highly targeted and does not exploit operating system vulnerabilities but rather design flaws of the ATM software stack, like the lack of authentication in the XFS layer.

While migrating to Windows 10 and keeping patches updated is a good practice, ATMs running  Windows 10 are as vulnerable as the ones running Windows 7 or XP.

The Right Cybersecurity Approach To Protect ATMs

Every organisation operating an ATM network is a potential target for jackpotting attacks, making robust and efficient cybersecurity countermeasures essential. However, the physical accessibility of ATMs and the lack of proactive update policies create an inherently vulnerable environment that makes ATM devices challenging to protect with traditional security technologies.

The Zero Trust protection model assumes that the infrastructure managing ATM and ASST devices will be compromised, and enforces the principle of “never trust, always verify” to prevent ATM jackpotting and other attacks. Zero Trust is based on the drastic reduction of the attack surface and a tight control of hardware and software changes in the ATM.

To design a robust Zero Trust ATM and ASST protection model, it is essential to identify the most critical points. Access to software, hardware, and communications must be continuously verified, only granting access to the minimum set of resources that are legitimate and required for the proper functioning of the device. In addition to that, hardware changes, made by third-party companies with physical access to the ATM, should only be possible in authorised time periods, where a specific security policy that allows modifications is applied. These changes are also subject to total monitoring of technical operations and explicit authorisation.

An effective way to secure ATMs, ASSTs, and other critical devices could be by implementing Lookwise Device Manager (LDM), Auriga’s solution that provides comprehensive layered protection to ATMs at all stages of the attack life-cycle, ensuring full availability of services for customers. LDM is designed based on the knowledge of the ATM infrastructure and the tactics and techniques used by attackers, making it an effective way to secure these critical devices.

In conclusion, the latest ATM jackpotting attack using FiXS shows that banks and other operators of ATMs must design a robust Zero Trust cybersecurity model to protect their ATM and ASST devices. The physical accessibility of ATMs, the lack of proactive update policies, and the critical nature of these devices create an inherently vulnerable environment that makes them difficult to protect with traditional security technologies.

Juan Ramon Aramendia is Head of Cybersecurity Product Engineering at Auriga

You Might Also Read: 

Does Your Business Require PCI DSS Compliance?:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

 

« Britain Pledges To Invest £2.5bn In Quantum Computing
Ferrari Hacked & Ransom Demanded »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Huawei

Huawei

Huawei is a leading global ICT solutions provider. with end-to-end capabilities across the carrier networks, enterprise, consumer, and cloud computing fields.

Arista Networks

Arista Networks

Arista Networks is an industry leader in data-driven, client to cloud networking for large data center, campus and routing environments.

Assured Data Protection

Assured Data Protection

Assured Data Protection specialises in data protection and disaster recovery services for large SME and enterprise organisations.

CSL Group

CSL Group

CSL solutions provide complete end-to-end connectivity services for Security, Fire, Telecare and other mission critical M2M/IoT applications.

Information Technology & Cyber ​​Security Service (STISC) - Moldova

Information Technology & Cyber ​​Security Service (STISC) - Moldova

STISC is a public institution whose purpose is to ensure the administration, maintenance and development of the information technology infrastructure in Moldova.

Ensconce Data Technology (EDT)

Ensconce Data Technology (EDT)

EDT’s focus is on providing solutions to properly sanitize Solid State Drives (SSD) and Magnetic Drives (HDD) before they are disposed or redeployed.

Plug and Play Tech Center

Plug and Play Tech Center

Plug and Play is the ultimate innovation platform, bringing together the best startups and the world’s largest corporations.

Com Laude

Com Laude

Com Laude is a domain name management company that provides strategic consulting to help companies strengthen digital brand, safeguard customers & protect brand IP.

Inspira Enterprise

Inspira Enterprise

Inspira Enterprise is a leading digital transformation company with expertise in Cyber Security, Internet of Things (IOT), Blockchain, Big Data & Analytics, Intelligent Automation and Cloud Computing.

Visible Statement

Visible Statement

Visible Statement is a computer-based delivery system designed to insure the retention and recall of your most important security training messages.

Shearwater Group

Shearwater Group

Shearwater Group is an award-winning organisational resilience group that provides cyber security, advisory and managed security services to help secure businesses in a connected global economy.

Stone Forest IT (SFIT)

Stone Forest IT (SFIT)

Stone Forest IT specialises in providing advisory, implementation and managed services for IT infrastructure, IT security solutions, business applications (ERP and CRM) and business analytical tools.

Twingate

Twingate

Twingate help organizations secure and manage access to their technology resources in a world where people work from anywhere.

CrowdSec

CrowdSec

CrowdSec is an open-source & participative IPS able to analyze visitor behavior by parsing logs & provide an adapted response to all kinds of attacks.

Abu Dhabi Gov Digital

Abu Dhabi Gov Digital

Gov Digital (formerly Abu Dhabi Digital Authority - ADDA) enable, support and deliver a digital government that is proactive, personalised, collaborative and secure.

Association for Uncrewed Vehicle Systems International (AUVSI)

Association for Uncrewed Vehicle Systems International (AUVSI)

AUVSI is the world's largest nonprofit organization dedicated to the advancement of uncrewed systems and robotics. Focus areas include cyber security for uncrewed systems and robotics.