Kaspersky shows how Hackers are emptying ATMs

[WMGroomAK]

At this year's Security Analyst Summit in St Maarten, Kaspersky researcher Igor Soumenkov has presented how hackers are using a combination of low tech and high tech techniques to empty out ATMs in Europe and Russia.  According to the article at Bleeping Computer, these attacks first started last year, when several banks discovered empty ATMs with a small hole drilled into the side.  From the article, 

 

Quote

After calling Kaspersky experts to investigate, it became apparent that no malware had been used in the attacks, yet no one could explain how the attackers forced the ATM to dispense all its bills.

 

Only when taking a closer look at the drilled hole did researchers understand what happened. The hole's position was crucial to unraveling the attack.

 

ATM thieves had drilled a small hole, wide of about 4 centimeters (1.5 inches), on the side of the ATM's PIN (numbers) pad. After dismantling a similar ATM in their laboratory, Kasperksy researchers realized this hole was right near a crucial ATM component, a 10-pin header.

 

According to this article, this 10-pin header actually connected straight to the main bus that interconnects all the other ATM components.  The rig to connect to the ATM only cost about $15 in off the shelf parts and a laptop to send commands to the ATM, at which point, it would dispense it's cash.  

 

At this same conference Kaspersky also:

 

Quote

On Monday, at the same conference, Kaspersky researchers revealed ATMitch, a new attack on ATMs that relies on crooks hijacking a bank's ATM backend network and installing self-deleting malware on ATMs via RDP connections.

The article on ATMitch presents :

 

Quote

Security researchers have uncovered one of the most sophisticated ATM heists to date, involving a group of cyber criminals specialized in hacking bank networks using fileless malware, and ATM malware that spits out cash and then self-deletes.

 

These ATM heists are the work of a group of hackers that's been active for years. Most recently, starting 2016, this group has switched to using legitimate Windows apps and fileless malware to hack into government agencies and banks in at least 40 countries.

 

Because those attacks used stealthy techniques that left a minimal footprint on infected servers, investigators weren't able to detect what the crooks were after. Nevertheless, they suspected the hackers stole data from infected systems, albeit they didn't know what data.

Below is a flow chart from Bleeping Computers showing how the ATMitch system works:

 

The genius part of this that makes it hard to deal with is that the malware self deletes once the attack ends, fairly much erasing the evidence.  According to the article, this was discoverd:

 

Quote

It was only by accident that on one ATM the malware left behind a file named "tv.dll." After further digging around, researchers were able to discover how the malware worked and traced it back to banks compromised by the same group they uncovered this past February.

 

Right now, researchers tracked down only two incidents with ATMitch, to a bank in Russia and one in Kazakhstan, but they believe that many more have also taken place.

 

The only problem is that detecting either the hacked bank or the hacked ATM is almost impossible as most of the malicious behavior takes place via self-deleting malware and malicious PowerShell scripts executing in memory, without leaving any artifacts on disk. Once the bank server/computer or the AMT is rebooted, most of the clues are wiped from memory.

 

ATMitch is not the first ATM malware strain that works by forcing ATMs to empty their cash dispensers. Other strains are GreenDispenser, and recent versions of the Alice and Ploutus ATM malware.

 

I would expect several banks to begin doing some retrofitting of their systems hardware and software in the near future to try and do away with these vulnerabilities.

 

https://www.bleepingcomputer.com/news/security/hackers-empty-atms-by-drilling-one-small-hole/

https://www.bleepingcomputer.com/news/security/self-deleting-malware-makes-atms-spit-out-cash/

 

[HarryNyquist]

Physical access is always the bane of security.

[SCHISCHKA]

pffft. In NZ they put a chain around the machine and rip it off or they just crash a stolen car into it

[MrImnotMLG]

1 minute ago, SCHISCHKA said:

pffft. In NZ they put a chain around the machine and rip it off or they just crash a stolen car into it

Now, those are the REAL geniuses of the bank robbing world.

[Bouzoo]

10 minutes ago, SCHISCHKA said:

pffft. In NZ they put a chain around the machine and rip it off or they just crash a stolen car into it

I do remember reading about an aussie using a forklift and another one using a front-end loader to just carry them away. 

 

Or if you're really smart:

 

[IceCold008]

ATM Machines are just inviting crooks to steal from them. Alot harder robbing a bank, with guards, steel doors and cameras etc. Some ATM's its just on a side of a building full of cash LOL.

 

Its basically saying. "THIS IS WHERE ALL THE MONEY IS" X marks the spot lol

[JediFragger]

1 hour ago, SCHISCHKA said:

pffft. In NZ they put a chain around the machine and rip it off or they just crash a stolen car into it

In Top Trumps terms I'd still go with the JCB digger approach

[Bleedingyamato]

9 hours ago, SCHISCHKA said:

pffft. In NZ they put a chain around the machine and rip it off or they just crash a stolen car into it

Why are people giving thumbs ups for that comment?  ?

 

Robbing an atm in those ways isn't a good thing.  lol

[SCHISCHKA]

16 minutes ago, Bleedingyamato said:

Why are people giving thumbs ups for that comment?  ?

 

Robbing an atm in those ways isn't a good thing.  lol

dont worry its not the kind of robbery that can be commited anymore. they have sheilding in banks and they stopped putting ATMs in petrol stations that you can just pick up and run away with

[Bleedingyamato]

1 hour ago, SCHISCHKA said:

dont worry its not the kind of robbery that can be commited anymore. they have sheilding in banks and they stopped putting ATMs in petrol stations that you can just pick up and run away with

Oh I'm not worried.  Just a mix of amused/slightly concerned that people were seemingly like "yay atm robbery!"  lol

 

 

Serious question: why is it called petrol?    We just call it gas. (because gasoline is too long I guess.  ?)  

[SCHISCHKA]

Just now, Bleedingyamato said:

Oh I'm not worried.  Just a mix of amused/slightly concerned that people were seemingly like "yay atm robbery!"  lol

 

 

Serious question: why is it called petrol?    We just call it gas. (because gasoline is too long I guess.  ?)  

because petrol is short for petroleum whereas gas is well not a liquid. your right it doesnt make sense because they sell diesel and LPG but none of them are in a gas state at the time of purchase

[Bleedingyamato]

2 minutes ago, SCHISCHKA said:

because petrol is short for petroleum whereas gas is well not a liquid. your right it doesnt make sense because they sell diesel and LPG but none of them are in a gas state at the time of purchase

Why call it petroleum instead of gasoline though?

 

Calling it gas could be a bit confusing I agree if someone didn't know it was short for gasoline and because it's not a gas but we call it gas.

 

Things can have odd names sometimes.   lol

 

 

Like those odd people that call soda "pop" instead.  lol

 

@wcreek I believe you're one of those pop people.  ?

[captain_to_fire]

11 hours ago, WMGroomAK said:

I would expect several banks to begin doing some retrofitting of their systems hardware and software in the near future to try and do away with these vulnerabilities.

So I guess I'll just withdraw money over the counter. Too bad my salary goes directly to the company provided ATM card. 

 

11 hours ago, IceCold008 said:

ATM Machines are just inviting crooks to steal from them.

ATM means "automated teller machine". Saying "ATM Machines" would make it redundant. It would be better if you typed "ATM terminals". Just saying. ?

[SCHISCHKA]

54 minutes ago, Bleedingyamato said:

Things can have odd names sometimes.   lol

when were out of gas we call it gas. We get a petrol card from our boss to buy diesel. But a petrol station is not called a gas station.

[Bleedingyamato]

Just now, SCHISCHKA said:

when were out of gas we call it gas. We get a petrol card from our boss to buy diesel. But a petrol station is not called a gas station.

Your country enjoys hurting my brain doesn't it?  ? ? lol

[SCHISCHKA]

3 minutes ago, Bleedingyamato said:

Your country enjoys hurting my brain doesn't it?  ? ? lol

americans loose it when we say come over for tea and bring a plate. that means come over for dinner and bring a plate of food to share

[themctipers]

1 hour ago, Bleedingyamato said:

Why call it petroleum instead of gasoline though?

 

Calling it gas could be a bit confusing I agree if someone didn't know it was short for gasoline and because it's not a gas but we call it gas.

 

Things can have odd names sometimes.   lol

 

 

Like those odd people that call soda "pop" instead.  lol

 

@wcreek I believe you're one of those pop people.  ?

in my area we just call it 'shit' (actually a direct translation would be trash but ehh)

or we just use the name of the drink

 

I haven't heard people use pop, and rarely is soda used.

[Bleedingyamato]

2 minutes ago, SCHISCHKA said:

americans loose it when we say come over for tea and bring a plate. that means come over for dinner and bring a plate of food to share

I wouldn't lose it but I would assume that when someone says tea that they actually mean tea and not a meal.  

 

Though I might mentally freak out and have really bad anxiety worrying about what food to bring and how much is enough and if my hosts will like what I'd bring.

 

Does that count?  ?

[SCHISCHKA]

Just now, Bleedingyamato said:

I wouldn't lose it but I would assume that when someone says tea that they actually mean tea and not a meal.  

 

Though I might mentally freak out and have really bad anxiety worrying about what food to bring and how much is enough and if my hosts will like what I'd bring.

 

Does that count?  ?

not as much as literally bringing a plate

[Bleedingyamato]

Just now, themctipers said:

in my area we just call it 'shit' (actually a direct translation would be trash but ehh)

or we just use the name of the drink

 

I haven't heard people use pop, and rarely is soda used.

Why would you call soda trash?  Is soda not popular where you live?

[Bleedingyamato]

Just now, SCHISCHKA said:

not as much as literally bringing a plate

I might actually do that...  I can be a rather literal thinker sometimes.  

[themctipers]

Just now, Bleedingyamato said:

Why would you call soda trash?  Is soda not popular where you live?

it just is

we have a weird culture here where I live.

 

want to hear something shocking? 

people tend to hang out at fucking wendys and talk there, over starbucks or some shit

Just now, Bleedingyamato said:

I might actually do that...  I can be a rather literal thinker sometimes.  

plate = food

at least that's what its meant when you say bring a plate over

a plate of food.  

[Bleedingyamato]

2 minutes ago, themctipers said:

it just is

we have a weird culture here where I live.

 

want to hear something shocking? 

people tend to hang out at fucking wendys and talk there, over starbucks or some shit

plate = food

at least that's what its meant when you say bring a plate over

a plate of food.  

You live in the twilight zone don't you?  lol

[themctipers]

Just now, Bleedingyamato said:

You live in the twilight zone don't you?  lol

people still use p4/c2d/c2q here

some people bring fucking macbooks to wendys.

[Bleedingyamato]

16 minutes ago, themctipers said:

people still use p4/c2d/c2q here

some people bring fucking macbooks to wendys.

People using crazy old Intel CPUs but yet can afford Macs?  Something seems odd if you ask me..  ?