The ATM Malware Update
Banks continue to come under designed attack from malware and APTs.
Indeed, the prevalence of financial malware is more than double that of ransomware. Overall, the cybersecurity threat landscape has made significant advancements to target verticals with high value assets and business models, making the financial sector in general a prime target.
Hackers are innovative, and the volume of attacks continues to increase, whether conducted as financial malware, phishing, or malvertising. A new twist has been the additional threats that are well hidden and can impact a business unseen. Malicious actors are using tactics based on steganography, an ancient art involving the practice of concealing messages or information within other non-secret text or data. Malware thus disguised can execute and move laterally with lightning speed, wreaking havoc and costing money in a small window of time.
In the devious way that cybercrime programs tend to operate, one specific malicious program can infect an organization with multiple objectives. It can not only successfully exfiltrate data and steal money, but can also observe and capture victims’ online behavior and activities to develop future malware targeted at that specific bank or institution.
The recent emergence of IcedID is a case in point. This malware is being used to aggressively target banks in the US and UK, along with other targets such as payment card and mobile service providers.
IcedID is a new banking Trojan that can steal data via both redirection and web injection attacks, spreading over networks to infect terminal servers. IcedID doesn’t only steal data, it also spies on targets and this information will likely be used to develop a very customized malware that will exploit vulnerabilities unique to a specific bank.
Such are some of the unique features and challenges of cybersecurity for banks and the financial sector. Looking at ATMs specifically, there are some very unique and specific threats aimed at these machines due to their unique vulnerabilities.
ATMs – Middleware is the Weak Spot
For context, Europol’s European Cybercrime Centre (EC3) recently released a report on the ATM malware landscape. This builds on the 2016 report that was privately released to financial institutions and law enforcement agencies globally. The report digs into the depth and breadth of malware targeting ATMs, as well as the perpetrators behind the attacks.
What the report makes clear is that there is a common denominator in much of the ATM malware active today – it’s the XFS (extensions for financial services) middleware. Middleware providers use the XFS standard to create a client-server architecture for financial applications on Microsoft Windows platforms. Financial applications through the XFS manager using XFS APIs communicate with peripherals such as PIN pads, cash dispensers, and receipt printers. This middleware is the connective tissue within many ATMs regardless of make, model or vendor. Exploiting the universality of XFS to “jackpot” ATMs equates to a huge ROI for malware developers as they can conduct one or many campaigns.
It’s becoming easier and easier to successfully target ATMs, there are both hardware and software vulnerabilities to exploit and malware kits are widely available if one knows where to look. At the moment ready-made ATM malware is being sold on the Darknet market for approximately $5,000, which is quite affordable considering the potential payoff.
Kaspersky Lab discovered the post advertising the malware, dubbed Cutlet Maker. The brief description and detailed manual available with the toolkit indicates that the malware targets specific and various ATM models with the help of a vendor API, removing the need to interact with ATM users and their data. Simply put, this malware does not impact bank customers directly – rather it tricks the bank ATMs into releasing cash without authorization.
ATM Malware is in a constant state of adaptation. It is becoming increasingly subtle and incorporating code obfuscation methods such as software packers, virtual machines, and sandbox detectors – previously seen in the world of general malware. Another trick to disguise malware is reusing common libraries that are part of the legitimate OS. This is how ATMii malware operates and remains responsive to the Windows version on which it runs.
The Reality Split
What’s disturbing about cybersecurity in banks and financial institutions is the disparity between what the public believes to be the case, and what the reality actually is.
A recent global survey found that less than 30% of banks and insurers have both strong data privacy practices and a sound security strategy. Almost 80% of the respondents are not highly confident that they can detect a cybersecurity breach. Yet the vast majority of consumers (83%) trust that banks and insurers are taking care of their data properly.
25% of institutions surveyed report being a victim of a hack, yet only 3% of consumers believe that their own bank or insurer has ever been breached.
Clearly, there is a disconnect between public belief and reality. The imminent GDPR related changes will improve transparency, which will erode this trust as the public becomes aware of just how weak the security measures at their banks actually are. This same survey offers some other very compelling statistics: 74% of consumers would switch their bank or insurer in the event of a data breach. Between the threat of steep regulatory fines and penalties and the potential significant loss of customers, banks and financial services institutions simply must improve their methods for detecting and addressing breaches in cybersecurity.
The malware targeting ATMs isn’t going away, rather it will continue to evolve and adapt. Whether it is bank customers or banks themselves who pay the price, the reality is that hackers will continue to find success in their ATM heists.
Banks would be advised to start taking proactive steps to hunt down malware that’s residing undetected on ATMs as we speak. For any organization that has not already adopted a hunt capability, now is the time.
The myths that have long surrounded security are being dismantled. Security is not an ‘’add-on’’ cost, nor can it be bolted on after the fact. Security is an inherent part of the fabric of any enterprise today, most especially ones that transact in the public’s money.
Security must be factored as part of the baseline functionality of a business, part of C level planning and approached with enough time and resources devoted to it to enable security to be done right. It is not easy, nor simple, and both defenses and offensive/proactive capabilities should be planned and budgeted.
An excellent start is to use a scalable solution like Infocyte HUNT to sweep endpoints looking for malware and APTs that have overcome or evaded the existing defenses. Once found, these threats can be neutralized.
Security as we know it is dead, there simply is no way to adequately protect assets using defensive solutions. Instead, cyber awareness should be the goal. It’s better to know what you’re dealing with than to fly blind. Start finding out what’s actually hiding on your endpoints with Infocyte HUNT.
Find out more about Cybersecurity in the Financial Sector, and forecasts for 2018 here.