Report: European Banks Struck by ATM Jackpotting AttacksATMs Said to Disgorge Cash on Mobile Phone Commands
Hackers have been draining ATMs of cash across Europe after compromising the networks of banks and planting malicious software on the machines, the security company Group-IB says. But the Russian company's report is being cautiously reviewed by some in the financial services industry.
The gang, nicknamed Cobalt after a software tool it employs, uses hacking techniques that are strikingly similar to another group called Buhtrap, Group-IB claims. Some individuals allegedly affiliated with Buhtrap were arrested in May. The group is believed to have stolen more than $25 million from banks, Group-IB says.
The attacks do not involve any physical interventions with an ATM itself, but rather software modifications made after a bank's network is compromised, which Group-IB calls a "logical attack."
"To perform a logical attack, hackers access a bank's local network, which is further used to gain total control over ATMs in their system," Group-IB says. "Cash machines are then remotely triggered to dispense money, allowing criminals to steal large amounts with relative ease."
Video footage of one theft showed someone approaching an ATM with a mobile phone. The individual made a call and then prepared a bag. A few minutes later, the ATM began dispensing cash. The thief made a call before leaving the ATM, which was then rebooted, Group-IB says.
As of September, Cobalt struck banks in Russia, the U.K., the Netherlands, Spain, Romania, Belarus, Poland, Estonia, Bulgaria, Georgia, Moldova, Kyrgyzstan, Armenia and Malaysia, according to Group-IB, which did not name affected banks.
Diebold Nixdorf, one of the largest manufacturers of ATMs, says that while it's aware of the type of attacks described by Group-IB's report, it was not aware of the incidents mentioned. "There are no indications to us that this group of fraudsters is active in Europe or the Americas," says Ulrich Nolte, a Diebold Nixdorf spokesman.
NCR, another large ATM manufacturer, says it's also familiar with the attack vectors and has been implementing applications and strategies to counter them. "We have been working actively with customers, including those who have been impacted, as well as developing proactive security solutions and strategies to help prevent and minimize the impact of these attacks," says spokesman Rakesh Aulaya.
The European ATM Security Team, which studies ATM crime and fraud, is looking into Group-IB's report, says Lachlan Gunn, its executive director.
EAST, along with ATM manufacturers, banks and law enforcement, published a guide last year for how the financial services industry can counter ATM malware and logical attacks. The guide is only available to those in law enforcement and the banking and payments industries.
Security experts have long warned that ATMs, which often are stripped-down Microsoft Windows computers, have many avenues for potential compromise. In 2010, the late researcher Barnaby Jack showed he could exploit software vulnerabilities and command the machines to spit out cash.
This year, cybercriminals have carried out some jaw-dropping attacks. In July, suspected Russian nationals withdrew a total of $2.2 million from dozens of ATMs in Taiwan belonging to First Bank. A few weeks later in Thailand, three groups of men working in six provinces commanded 21 ATMs to disgorge a total of 12 million baht ($350,000) (see 'Ripper' ATM Malware: Where Will Cybercriminals Strike Next?).
ATMs are expensive to upgrade and replace, and more than 90 percent of those deployed around the world still run Windows XP. Although Microsoft stopped supporting the consumer version of the operating system in April 2014, it continued to support the "embedded" version, which is inside ATMs, through this year.
The machines are networked with the bank's other systems, and if those systems have weaknesses, it provides opportunities for attacks. Group-IB says the point of entry into the European banks was a tried-and-true method: spear phishing.
Spear phishing is the practice of targeting key individuals with carefully crafted emails designed to trick people into opening malicious attachments or links.
Group-IB says emails purporting to be from ATM manufacturer Diebold Nixdorf, the European Central Bank and other local banks were sent containing malicious attachments or password-protected archives containing executable code.
Once inside the network, the attackers used tools usually reserved for penetration tests, such as Cobalt Strike and Mimikatz, to gain access to domain controllers, which manage authentication credentials and network access. Eventually, they reached the ATMs.
The cybercriminals have mastered manipulation of a set of APIs known as XFS or Extension for Financial Services, Group-IB says. The software acts as a middleman between an ATM's hardware, such as displays and PIN pads, and the host Windows system.
"To make ATMs give out cash, criminals launch malware using Extensions for Financial Services (XFS) standard," Group-IB says. "On command from the bank's internal network, the program starts dispensing notes until machines are empty."
After a theft is complete, the attackers cover their tracks. They use a Microsoft utility, SDelete (Secure Delete), to get rid of any trace of malware.
To also make the intrusions more difficult for investigators to detect, the cybercriminals have targeted banks' internal servers with MBRkiller. That malware wipes out a computer's master boot record, which is the first sector of a PC's hard drive that the computer looks to before loading the operating system.