Five years ago, security researchers first spotted a strain of malware - nicknamed Ploutus - that was being used to infect ATMs in Mexico and drain them of their cash, in what's known as a cash-out or jackpotting attack.
Now, the U.S. Secret Service is warning ATM manufacturers that for the first time, such attacks have migrated to the United States. Security blogger Brian Krebs obtained a copy of an undated, confidential Secret Service memo that contains the warnings, and ATM makers NCR and Diebold Nixdorf on Friday issued their own advisories to customers.
The Secret Service says Ploutus.D was used in a coordinated attacks against standalone ATMs in box-big retailers and pharmacies over 10 days, according to a single, unnamed source cited by Krebs. There are indications more attacks were planned throughout the United States as well.
In all cases seen to date, fraudsters appear to have been targeting two older ATMs from Diebold Nixdorf - its Opteva 500 and 700 series.
When Ploutus first appeared, it was designed only to infect a specific type of ATM made by NCR. But since early last year, researchers with FireEye have seen the developers behind the malware expand its capabilities. The "D" variant of Ploutus works on ATMs from multiple vendors because it is compatible with a type of cash machine middleware used by many banks (see ATM Malware Retooled to Strike More Machines).
Rather than exploiting software vulnerabilities, Ploutus mounts a "logical" attack, using the native protocols, middleware and communication within an ATM to achieve a fraudulent outcome. Whoever developed Ploutus has a firm understanding of the arcane functions of ATMs.
"This represents the first confirmed cases of losses due to logical attacks in the U.S.," writes NCR in its Friday advisory. "This should be treated by ATM deployers as a call to action to take appropriate steps to protect their ATMs against these forms of attack and mitigate any consequences."
Hacking ATMs With Endoscopes
The attack on an ATM using Ploutus is invasive. Diebold Nixdorf's security alert, which was published by Krebs, describes how in one attack recorded by CCTV, fraudsters in Mexico used an industrial endoscope to peer into an ATM and manipulate it in preparation for a jackpot attack.
Attacks using endoscopes were first reported by NCR last October, when attackers in Mexico appeared to be using black box controllers to instruct ATMs to dispense all of their cash (see Hackers Practice Unauthorized ATM Endoscopy).
The Opteva models that Diebold Nixdorf says are most at risk from attacks are all frontloading models, which presumably makes it easier for fraudsters to gain access to the inside of machines.
"As in Mexico last year, the attack mode involves a series of different steps to overcome security mechanisms and the authorization process for setting the communication with the dispenser," Diebold's advisory says.
Physical access to the inside of an ATM enclosure allows fraudsters to gain access to an open port in order to deliver Ploutus. Krebs writes that the Secret Service advisory says fraudsters may dress as technicians to deflect suspicion. Diebold's advisory says that in some instances, the fraudsters swap out the hard disk with their own. That hard disk contains an image of the ATM platform software that attackers have modified to include the jackpotting malware.
Swapping the hard drives is a tricky operation. Diebold say that the communication with the cash dispenser has to be reset. After the drive has been swapped, a button inside the cash machine's safe has to be held down. Enter the endoscope, which helps fraudsters locate the reset button that they must press to get their Trojan hard disk to run.
Once an ATM has been tampered with, Ploutus needs to talk to the machine's dispenser. And Ploutus.D has been designed to handle these communications across a number of different ATM platforms.
Most ATMs run on Windows, but the operating system isn't designed for running ATMs and managing hardware. So ATMs run Extensions for Financial Services, or XFS, which is software and a set of APIs that can talk to displays, PIN pads and other ATM peripherals.
For a long time, ATM vendors wrote their own middleware that was layered on top of XFS. But increasingly, ATMs run middleware called Kalignite, which saves banks from having to do more customization for middleware from a variety of vendors.
That's where fraudsters innovated with Ploutus.D: The malware has code libraries that allow it to issue commands through Kalignite. For example, Ploutus.D can send a query via Kalignite to other parts of an ATM, instructing it to open its dispenser or report how much money remains in its cassettes.
Principal Security Researcher Daniel Regalado at Zingbox, who formerly worked as a malware analyst at FireEye, told Information Security Media Group in January 2017 that enabling Ploutus to speak to Kalignite would not have been an easy development task and demonstrates the depth to which cybercriminals understood the middleware.
Encryption, Whitelisting, Locks
NCR and Diebold Nixdorf have issued a bevy of security recommendations to help ATM operators avoid jackpotting attacks.
The first and most important step: Prevent attackers from gaining physical access to ATMs. Diebold Nixdorf, for example, says that the head compartment of ATMs should be secured. And if someone does manage to get inside, two-factor authentication should be enabled for any software modifications to prevent attackers from being able to run malware.
Also enable hard disk encryption and ensure all firmware is kept up to date, the company advises.
NCR has also published extensive guidance on how to defend against logical attacks. For starters, an ATM's BIOS configuration should be password-protected. The manufacturer also offers Solidcore Suite for APTRA, a whitelisting tool that only allows authorized code to run on an ATM.
Another recommendation: Always encrypt communications between the ATM's core software and cash dispenser. That way, the ATM will reject cash-out commands sent by attackers directly to the dispenser.