In 2016 Kaspersky Lab employees participated in incident response cases that took place in dozens of financial institutions around the globe. In most cases we had to provide forensics analysis of ATMs. When Carbanak attack details were announced at #TheSAS2015, criminals also found this information useful. Other criminal groups eagerly adopted the same TTPs. Banks started to suffer from attacks on ATMs including both, malware and physical access.
These are:
• Direct attacks on the peripherals and low-level hardware protocols
• Hacker movie-style hardware drops in bank offices
• Carbanak-like software attacks on ATM software layer
• Bluetooth HID dongles implanted in ATMs instead of black boxes
We will provide details about each of these cases and present a cheap and simple hardware design that (when applied with a bit of physical labor) can empty one of the most popular ATM models in the world.
https://sas.kaspersky.com
5. ORIGINAL REQUEST FROM A BANK ABOUT ATM
1. Empty cassettes
2. No samples
3. Nothing in logs
4. C:WindowsTempkl.txt found
5. The main question: is KL involed?
Security Analyst Summit 2017
9. ATMITCH IN ACTION
ECHO O - open dispenser
ECHO I – initialization
ECHO D 6 1 -
dispense 1 note from
cassette 6
RUNDLL MALWARE
CATCH SOME MONEY...
10. SUMMARY
1.Sample works with MSXFS.DLL
2.It was installed from a bank (no files)
3.There were some speculations
about fileless malware for ATM. It is
not TRUE. Whitelisting will block it.
Security Analyst Summit 2017
12. STEPS
1. Bank requested forensics research of ATM
2. Blackbox attack in far-far away city
3. No CCTV cuz attacker placed stickers on cameras
4. No logs about opening of service zone
6. Transport ATM to HQ
7. Investigate hardware on ATM
?Security Analyst Summit 2017
14. ATTACKER’S STEPS
1.Plug USB-Bluetooth dongle to ATM
2.Pair it with wireless keyboard
3.Wait for 3 months
4.Turn on keyboard near ATM
5.Reboot ATM
6.Boot in ATMDesk
7.Dispense some money
Security Analyst Summit 2017
16. 1.Construction worker was drilling ATM near
banks’ office
2.He was noticed by a police patrol in a middle
of a day
3.He started to run and destroy evidence
4.He was tearing some cables, breaking down
his laptop and some small box
5.After arrest he didn't say a word
BANK REQUEST FOR ASSISTANCE
Security Analyst Summit 2017
28. Security Analyst Summit 2017
Every device has an address
Decrypted codes for dispensing are hidden in equation
29. 0x0C0 Wait for a big request and reply first with inject in response:
0x0C1 0x001 0x0AA PAUSE 0x189 0x0F7 GIVE ME THE MONEY!
SDC BUS STREAM INJECTION