Hacked ATMs Spew Cash into the Hands of Cybercriminals

thezootsewt/ November 23, 2016/ Financial and Banking/ 0 comments

Imagine you are minding your own business walking down the street, and suddenly an ATM machine starts spewing thousands of dollars in cash without anyone at the controls.  As far fetched as that sounds, it is becoming more and more common outside the US due to the wily activities of cyber criminals.  The threat has grown to the point that the FBI is warning US banks that they need to redouble their efforts to secure ATM machines.  The FBI bulletin stated that it was “monitoring emerging reports indicating that well-resourced and organized malicious cyber-actors have intentions to target the US financial sector.”

The Wall Street Journal is reporting that Russian hackers are behind the attacks, and profiting to the tune of many millions of dollars.  Banks in Thailand and Taiwan were targeted earlier this year.  Recently ATM machines in Europe have also fallen victim to attack according to Fortune magazine.

Security experts believe the Russian hackers remotely breach a banks network and install malware known as buhtrap into the banks information systems.  Once the malware is installed, the hackers can issue a command at the time of their choosing to direct specific ATM machines to dispense cash, likely to waiting members of the hacking gang.  To make matters worse, apparently the malware code to direct the ATM machines to dispense cash was released on the Internet earlier this year, so other cyber criminals are expected to also begin attacking ATM machines and bank network throughout the world.

The buhtrap malware is fairly advanced in that it directly targets banks and executes in a number of stages.  The first stage involves an unwitting users going to a website that contains the malware and unknowingly downloading the malicious code.  The first stage malware then attempts to determine if it’s new home is within a bank.  It does this by looking for programs running on the computer, and if it finds one that matches any of a number of banking programs, it knows it has hit the jackpot.  Then the malware begins a second download of malicious code in which it brings additional corrupting code into the mix.  The second stage malware contains a keylogger, downloader, and can even read the contents of a smartcard in the victim’s computer system.  A command and control (CnC) server can then remotely direct attacks, such as ATM machine number 1234, dispense $100,000.00 now.

There are a number of techniques that banks can use to mitigate this threat.  First and foremost, banks need to tightly control their networks to ensure that malware is detected and scrubbed at the network boundary (via IPS/IDS/NGFirewall/etc.).   A properly architected network with appropriate levels of segmentation also helps to mitigate the risk from a network perspective.  Secondly, users need continuous training – just don’t click that link in your email.  Thirdly, banks need more robust and better funded cyber security teams to keep watch over information systems.  When all is said and done, a bank is really a large network with some really critical information flowing through it (money).  Securing financial networks needs to be a top priority for both governments and financial institutions, otherwise get ready for ATMs to keep spewing cashing out onto the streets.

Additional References –

http://www.group-ib.com/brochures/gib-buhtrap-report.pdf

https://www.arbornetworks.com/blog/asert/diving-buhtrap-banking-trojan-activity/

https://www.cyphort.com/buhtrap-malware-every-banks-security-team-needs-know/

 

Leave a Comment

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>
*
*