PacSec2017

1. Заголовок
ptsecurity.com
7 sins of ATM
protection against logical attacks
Timur Yunusov
Senior expert

2. Заголовокwhoami
• Positive Technologies (from 2009)
• Application security researcher (from 2009)
• Banking systems security senior expert (from 2012)
• Always in search/research ;)

3. Заголовокwhoami
• Positive Technologies (from 2009)
• Application security researcher (from 2009)
• Banking systems security senior expert (from 2012)
• Big fan of #nullcon
• Always in search/research ;)
10+ ATMs for the last year

4. ЗаголовокATM security assessment

5. Заголовок7 sins
• Kiosk bypass techniques
• Privilege escalation techniques
• Application control software bypass
• Network physical layer
• Device management
• Booting process
• Logical vulnerabilities
• OS / Software vulns /
Kiosk mode bypass
• Network attacks
• Hardware attacks
Hardware
Network
OS

6. ЗаголовокBlackbox
Blackbox is
dead

7. ЗаголовокBlackbox
Blackbox is
dead

8. ЗаголовокBlackbox
Blackbox is (almost)
dead (for researchers)
Have strong
crypto btw
dispenser and
OS?
BB is not
possible
BB is
possible
Yes No

9. ЗаголовокKiosk mode bypass
Kiosk mode bypass
Windows XP/7

10. ЗаголовокKiosk mode bypass
• Safe mode
• Hotkeys
• Windows Plug&Play
• Race condition

11. ЗаголовокSafe mode
• F8 + Safe mode with command line
• DS restore mode
• AC/DC fun

12. ЗаголовокHotkeys
• Win+R

13. ЗаголовокHotkeys
• Win+R
• Alt+Tab
• Alt+F4
• Alt+Shift+ESC
• F1-F12
• Shift x5 (Windows 7 only)
• Win+(etc)
http://www.techrepublic.com/blog/windows-and-office/the-
complete-list-of-windows-logo-keyboard-shortcuts/

14. ЗаголовокAlwaysOnTop
This ATM is Out Of Service,
Sorry for inconvenience

15. ЗаголовокAlwaysOnTop
• Disabling mouse icon
• AlwaysOnTop
This ATM is Out Of Service,
Sorry for inconvenience

16. ЗаголовокP&P

17. ЗаголовокP&P

18. ЗаголовокP&P video/screenshot

19. ЗаголовокEnd of the story

20. ЗаголовокPrivilege escalation techniques
• How exactly we extract money?

21. ЗаголовокPrivilege escalation techniques
• FS restrictions
• Local Security Policy restrictions

22. ЗаголовокPrivilege escalation techniques
• Arbitrary command execute - XFS API
• Command execute - priv escalation
• Write files/registry - modify sec configs

23. ЗаголовокPrivilege escalation techniques
• Arbitrary command execute - XFS API
• Command execute - priv escalation
• Write files/registry - modify sec configs
• Read files - ***

24. ЗаголовокApp control software bypass
Story so far…
• https://evi1cg.me/archives/AppLocker_Bypass_Techniques.html
• https://cansecwest.com/slides/2016/
CSW2016_Freingruber_Bypassing_Application_Whitelisting.pdf

25. ЗаголовокSecurity software bypass
• McAfee Solidcore - https://www.ptsecurity.com/ww-en/about/news/131496/
• MS Applocker - http://www.blackhillsinfosec.com/?p=5257 – State of Art!
• etc (6 total different products) – stay tuned!
• 0days (5 total, in process of fixing): network, local, logical
• Misconfiguration
• Whitelist Memory Execution: IE, rundll32, powershell, java, etc

26. ЗаголовокSecurity software bypass

27. ЗаголовокNetwork
+ Firewall
VPN
TLS
MAC
• OS services
• Software services (Solidcore, UPDD, etc)
• Processing
• Track2
• Processing
• Track2
• Processing

28. ЗаголовокNetwork vulns
• VPN disabling
• Logical vulns part
• TLS disabling
• MAC disabling
• Files/registry manipulations

29. ЗаголовокNetwork/Hardware layer
• 3G industrial modem
• Long story short
http://blog.ptsecurity.com/2015/12/critical-
vulnerabilities-in-3g4g-modems.html
• Security measures
• VPN channel
• Private APN
• Result
• ATM network infection
• Processing access

30. ЗаголовокNetwork/Hardware layer
• Access to *:80
• Auth bypass
• Physical access
• Proper VPN protocols(((

31. ЗаголовокDevice mgmt
How to do all hacking stuff
much easier?

32. ЗаголовокDevice mgmt
• Keyboard/mouse
• Teensy
• Network card
• fw bypass
• plug&play
• USB drive
• local access to Exe file content
• plug&play
• MS13-081

33. ЗаголовокBooting process
The easiest way is…

34. ЗаголовокBooting process
• BIOS pwd
• Network load
• Safe mode
• Physical access
• OS access
• Same passwords story
• Bootkit
• Software skimming

35. ЗаголовокLogical vulns
How it happened?

36. ЗаголовокLogical vulns
• Security tools runs from regedit/autorun
• Shift x5
• Win+U
• Security race condition
• Hash(loooooooong file)
• exploit.exe at the same time
• Ctrl+C

37. ЗаголовокLogical vulns

38. ЗаголовокLogical vulns
• VPN disabling

39. ЗаголовокLogical vulns
• FS access is strictly prohibited

40. ЗаголовокLogical vulns
• FTP is strictly prohibited!

41. ЗаголовокSummary
Windows 7 SP1 ATM Windows XP SP3 ATM
Kiosk bypass Hotkeys/Safe mode KeyboardDisabler bypass
App control bypass 0day/Trusted soft Untrusted booting
Privilege escalation 0day/MS15-051 Untrusted booting
VPN/TLS disabling Misconfiguration/FS Untrusted booting
Social Engineering Misconfiguration/FS -
Untrusted boot BIOS accessing from OS No password
Network attacks MAC/TLS/VPN/App service MAC/TLS/VPN/OS services

42. ЗаголовокHow all that happens?
• Security through obscurity is not an option!
• You should know your landscape and your threat model
• Use compliance management tools instead of paper
• In case of impossibility of fixing vulns, use
mitigation measures like SIEM

43. ЗаголовокGreetz
• Anon guy ;-)
• Positive Technologies researchers teams:
• ICS/SCADA
• Reverse Engineering
• Banking security

44. ЗаголовокContacts
http://uk.linkedin.com/in/tyunusov
tyunusov@ptsecurity.com
a66at

45. Заголовок
Thank You!
ptsecurity.com