In 2016 Kaspersky Lab employees participated in incident response cases that took place in dozens of financial institutions around the globe. In most cases we had to provide forensics analysis of ATMs. When Carbanak attack details were announced at #TheSAS2015, criminals also found this information useful. Other criminal groups eagerly adopted the same TTPs. Banks started to suffer from attacks on ATMs including both, malware and physical access. These are: • Direct attacks on the peripherals and low-level hardware protocols • Hacker movie-style hardware drops in bank offices • Carbanak-like software attacks on ATM software layer • Bluetooth HID dongles implanted in ATMs instead of black boxes We will provide details about each of these cases and present a cheap and simple hardware design that (when applied with a bit of physical labor) can empty one of the most popular ATM models in the world. https://sas.kaspersky.com

1. Live in the ATM trenches
Sergey (k1k) Golovanov
Igor (igosha) Soumenkov
Electrical engineers
Kaspersky Lab

2. AGENDA
Drilling
Bl@ckb0x_m@g1c
ATMitch
Security Analyst Summit 2017

3. ATMITCH

4. Fileless attacks against enterprise networks.
By GReAT on February 8, 2017.

5. ORIGINAL REQUEST FROM A BANK ABOUT ATM
1. Empty cassettes
2. No samples
3. Nothing in logs
4. C:WindowsTempkl.txt found
5. The main question: is KL involed?
Security Analyst Summit 2017

6. Dates
KL.TXT file content photo from empty ATM

7. ACTION STEPS
1. Create YARA rule on VirusTotal.com
2. Wait…
Security Analyst Summit 2017

9. ATMITCH IN ACTION
ECHO O -­ open dispenser
ECHO I – initialization
ECHO D 6 1 -­
dispense 1 note from
cassette 6
RUNDLL MALWARE
CATCH SOME MONEY...

10. SUMMARY
1.Sample works with MSXFS.DLL
2.It was installed from a bank (no files)
3.There were some speculations
about fileless malware for ATM. It is
not TRUE. Whitelisting will block it.
Security Analyst Summit 2017

11. BL@CKB0X_M@G1C

12. STEPS
1. Bank requested forensics research of ATM
2. Blackbox attack in far-­far away city
3. No CCTV cuz attacker placed stickers on cameras
4. No logs about opening of service zone
6. Transport ATM to HQ
7. Investigate hardware on ATM
?Security Analyst Summit 2017

13. DISCOVERY
Security Analyst Summit 2017

14. ATTACKER’S STEPS
1.Plug USB-­Bluetooth dongle to ATM
2.Pair it with wireless keyboard
3.Wait for 3 months
4.Turn on keyboard near ATM
5.Reboot ATM
6.Boot in ATMDesk
7.Dispense some money
Security Analyst Summit 2017

15. DRDRDRDRDRDRDRDRILLING

16. 1.Construction worker was drilling ATM near
banks’ office
2.He was noticed by a police patrol in a middle
of a day
3.He started to run and destroy evidence
4.He was tearing some cables, breaking down
his laptop and some small box
5.After arrest he didn't say a word
BANK REQUEST FOR ASSISTANCE
Security Analyst Summit 2017

18. Source: http://answerpro.ru/services/hardware-development/cerber-ndc-lock/#servicesSecurity Analyst Summit 2017
Hole

19. Source: http://answerpro.ru/services/hardware-­development/cerber-­ndc-­lock/#servicesSecurity Analyst Summit 2017
Cables

20. Source: http://answerpro.ru/services/hardware-­development/cerber-­ndc-­lock/#servicesSecurity Analyst Summit 2017
Later: several cases in EU

21. MAIN QUESTION TO EXPERTS
WTF was he doing?!!
Security Analyst Summit 2017

22. SDC Bus

23. CHALLENGES
1. RS485
2. 9-­bits
3. Port speed
4. Encryption
5. Protocol
You will make it, right?
Security Analyst Summit 2017

24. OUR LAB FOR 5 WEEKS

25. Challenge: find a bus speed

26. Security Analyst Summit 2017
LOGIC ANALYSER

27. SDC BUS STREAM

28. Security Analyst Summit 2017
Every device has an address
Decrypted codes for dispensing are hidden in equation

29. 0x0C0 Wait for a big request and reply first with inject in response:
0x0C1 0x001 0x0AA PAUSE 0x189 0x0F7 GIVE ME THE MONEY!
SDC BUS STREAM INJECTION

30. Development

31. Teamwork

32. Testing

39. We were able to reproduce attack with all
seized items from construction worker

40. BOARD IS CONNECTED TO ANY ATM DEVICE
POWER UP
WAITING FOR A
BIG REQUEST…
!!!INJECTION!!!
TRTRTRTRTRTRTRTR
TRRTRTRTRTRTRTTR
!!!!I’M RICH!!!))))

41. Security Analyst Summit 2017
Chill out…

42. Sergey (k1k) Golovanov
Igor (igosha) Soumenkov
Electrical engineers
Kaspersky Lab
Thank you!