Transcription
ATM & PAYMENTS INNOVATION SUMMIT 2018ATM JACKPOTTINGADAPTING TO THE FUTURE OF MALWAREJuan Jesús León - GMV Copyright GMV 2018All rights reserved
ATM JACKPOTTING - ADAPTING TOTHE FUTURE OF MALWAREINTRODUCTION Copyright GMV 2018. All rights reserved
WHO IS GMV A global high tech technology groupMultinationaltechnologygroupHeadquartersin ies in 11 countriesCMMI level 5Roots tied toSpace160M worldwide revenueFounded in1984Aeronautics, Space, Defense, Security, Transportation,Healthcare, Banking & finances, and ICT industrieswww.gmv.com Leader ATM logical Security vendor CHECKER ATM SECURITY Deployed in 35 countries and 150,000 ATMs Copyright GMV 2018. All rights reserved
TODAY WE WILLADDRESS ATM cyber threats and protections Malware, Black-box and Network intrusions State-of-the-art protections ATM cyber attacks today The “comfort zone” The “war zone” Adapting to the futureEAST FCS Seminar 2018 Copyright GMV 2018. All rights reserved
ATM JACKPOTTING - ADAPTING TOTHE FUTURE OF MALWAREATM CYBER THREATS& PROTECTIONS Copyright GMV 2018. All rights reserved
ATM CYBER THREATSBlack n the rise Copyright GMV 2018. All rights reserved
ATM CYBER THREATS Jackpotting cash-out Malware vs BlackBox Malware requires bypassing the protection of the ATM software stack to runmalware on the actual ATM PC as it is already trusted by the dispenser BlackBox means BYOD with all necessary tools to dispense, but requires re-pairingthe fraudster’s PC with the dispenser Network attacks Penetrate the bank network to eventually reach the ATM network: It is likeconquering the fortress just to access the safe OPTIONS: Using Insiders, infecting from external systems, use criminalorganization hacking Resources, use availableATM software to remotely commandcash outs Copyright GMV 2018. All rights reserved
ATM CYBERPROTECTIONA Windowshardening Remove unnecessaryapplications, services &components Remove unnecessaryusers, accounts &privileges Reasonable OS patchingpolicy in placeB CyberProtectionC DispenserProtection Copyright GMV 2018. All rights reserved Whitelisting Integrity control Device control Hard disk encryption Integrated Firewall Security Event monitoring Surveillance cameras Dispenser mustauthenticate all PCcommands Re-pairing requires secureaccess (eg Safe) Strict Dispenser Firmwarepatching Policy in place
ATM JACKPOTTING - ADAPTING TOTHE FUTURE OF MALWAREATM CYBERATTACKSTODAY Copyright GMV 2018. All rights reserved
COMFORT ZONE vs. WAR ZONEComfort zoneRisk zoneWar zone
THE COMFORT ZONEMALWARE ATTACK – COMFORT ZONETypicalAttackTypicalProtection Infect withmalware using aUSB pendrive Run malwareusing keyboard Disable defensesif needed Disableuntrusted USB Avoid unknownprograms to run Disablekeyboards Watch for offline Copyright GMV 2018. All rights reservedTypicalVulnerability No activeprotection Incompletesecurity policies Lenient securitypolicies
THE COMFORT ZONEBLACKBOX ATTACK – COMFORT lity Open top box orhole in fascia ConnectblackBox todispenser Re-pair ifconnection isencrypted Downgradedispenserfirmware ifneeded EncryptionbetweenDispenser and PC Common key usedto authenticate PCto dispenser Patch dispenserfirmware regularly None or limitedencryption Low protectionlevel (Logical) Vulnerable repairing procedure Copyright GMV 2018. All rights reserved
THE COMFORT ZONENETWORK INTRUSION– RISK ZONETypicalAttack Insider takescontrol of SWdistributionserver and SWcyberprotectionserverTypicalProtection Segregated ATMnetwork Active securitymonitoring Segregation ofduties Copyright GMV 2018. All rights reservedTypicalVulnerability Inadequatepersonnelscreening Inadequateproceduralcontrols
WAR ZONE EXCLUSIVES!!ENTER THE WAR ZONE Copyright GMV 2018. All rights reserved
WAR ZONE EXCLUSIVE 1:REFINED INFECTIONBYPASS USB PROTECTION Network based storage Use a micro-PC with attached network storage Connect to the ATM network via RJ45 and enable file sharing (SMB, NetBIOS )LATTEPANDAINTEL NUC Abuse Windows features An example is WPD – Windows Portable Devices, a plug&play feature for devicessuch as cameras, phones, that automatically loads drivers and device files into PC A complete Windows hardening is a very complex task Copyright GMV 2018. All rights reserved
WAR ZONE EXCLUSIVE 2:REFINED EXECUTIONBYPASS WHITELISTING Keyboard emulator Execute complex commands emulating a keyboard with preprogammed keystrokes in order to command cash out Typically Arduino based Takes advantage of general purpose tools cmd.exe, regedit.exe, explorer.exe in ATM PC Copyright GMV 2018. All rights reserved
WAR ZONE EXCLUSIVE 3:REFINED SECURITY BYPASSRE-PAIRING BLACK BOXES Endoscope attack The cover of the cash dispense shutter is unscrewed and damaged An endoscope with magnet or knob on its tip is inserted through the damagedshutter. Tip of endoscope touches sensor or pushes button or toggle, depending onmodel, so as to trick the ATM into believing that vault is open The Black Box can then be paired with the dispenser Firmware downgrade So that physical access to safe is no longer required to re-pair Presentation at BlackHat USA 2018. Patch available from manufacturer. Copyright GMV 2018. All rights reserved
WAR ZONE EXCLUSIVE 4:REFINED INTRUSIONNETWORK INTRUSION Hack the Bank! Sophisticated intrusion into Bank’s network, typically by resourceful criminalorganization Escalate and move into network until all necessary servers are under control. Remotely command cash-outs coordinated with mules. No specific ATM malwareis required.(Source: TrendLabs:Cashing in on ATM Malware Copyright GMV 2018. All rights reserved
WAR ZONE EXCLUSIVE 5:REFINED HOUSEKEEPINGCROOKS KEEP ONE STEP AHEAD Preventing forensic analysis A good understanding of the attack is mandatory to understand how to protect When crooks find a new way to insert and/or execute malware they take theirtime to ensure all traces are deleted after the attack They definitely know how to do this Copyright GMV 2018. All rights reserved
ATM JACKPOTTING - ADAPTING TOTHE FUTURE OF MALWAREADAPTING TO THEFUTURE Copyright GMV 2018. All rights reserved
WAR ZONE: LESSONS LEARNT Today ATMs can be reasonably butnot perfectly protected. Most relevant, efficient operation ofan ATM network requires someleniency in the security policies, e.g.: Allow USBs and administrative/diagnosis toolsused for on-site support. Allow network file sharing and other remoteservices used for remote support. Actually, the needs for protection andefficient operation involve a trade-off.Attackers are taking advantage of the fact thatprotection must coexist with dynamic operations Copyright GMV 2018. All rights reserved
BEHAVIOUR ANALYSISMalware is in the ATM. But not everything is lost!In the real world malware will enterthrough any security breach. We needa final barrier. ATMs are quite stable executionenvironments. Good candidates forbehaviour analysis. ATM transactions workflow arespecially stable. Even better candidates. Jackpotting involves strong anomaliesin ATM behaviour. Detection of thatanomalies is the key. ATM network complexity challenge:manufacturers, models, operatingsystems and applications, could makebehaviour analysis non-viable Copyright GMV 2018. All rights reserved
XFS BEHAVIOUR ANALYSISXFS provides a common API foraccessing and manipulatingvarious financial services devicesregardless of the manufacturer. Mitigates to some extent thechallenge resulting from large ATMnetworks complexity.ATM ApplicationMalwareXFS FilterXFS APIsXFS Manager24/01/17 16:36:56 INIT TRANSACTION24/01/17 16:36:56 CARD EMV: ************368824/01/17 16:37:02 VALIDATE TRANSACTION.24/01/17 16:37:16 ASK PIN.24/01/17 16:37:19 ASK PIN FINISHED.24/01/17 16:37:19 PIN BLOCK.24/01/17 16:37:20 PIN BLOCK FINISHED.24/01/17 16:37:20 VALIDATE TRANSACTION.XFS SPIs Multivendor solution by design.24/01/17 16:37:20 COORDINATION NUMBER SENT: 924/01/17 16:37:20 BUFFERAMOUNT: 0000005024/01/17 16:37:21 TRANSACTION REQUEST: AABB AA24/01/17 16:37:25 HOST ANSWER. STATUS: A12. FUNCTION: U24/01/17 16:37:25 TRANSACTION CURRENCY CODE: 0484.24/01/17 16:37:25 TRANSACTION EXPONENT: 02. Every XFS request can beanalyzed and filtered.24/01/17 16:37:25 TRANSACTION TYPE: 01.24/01/17 16:37:25 TRANSACTION CATEGORY CODE: 5A.24/01/17 16:37:26 OBTAINING PIN TRY COUNTER: 9F17010524/01/17 16:37:26 READING INTERNATIONAL CVM [VD]24/01/17 16:37:26 READING INTERNATIONAL IACS [VD]24/01/17 16:37:26 FINISH PROCESS EMV RESPONSE. Symbiotic relationship with awhitelisting solution. Togetherthey are stronger.24/01/17 16:37:26 HOST ANSWER. STATUS: 426 FUNCTION: 224/01/17 16:37:26 NOTE DISPENSE: 01000000Service providers24/01/17 16:37:36 NOTES PRESENTED24/01/17 16:37:46 NOTES EXTRACTED24/01/17 16:37:51 COMMAND EJECT CARD.24/01/17 16:37:53 COMMAND EJECT CARD FINISHED.24/01/17 16:37:54 CARD EXTRACTED24/01/17 16:37:54 END TRANSACTIONXFS: standard layer for ATM real-time anomaly detection Copyright GMV 2018. All rights reserved
KEEP YOURSELF INFORMED!New version available soon!Thank you!jjleon@gmv.com Copyright GMV 2018. All rights reserved
WAR ZONE Comfort zone Risk zone War zone. ORT ZONE Typical Attack Infect with malware using a USB pendrive Run malware using keyboard
