Who’s Still Robbing ATMs with USB Sticks?

Who’s Still Robbing ATMs with USB Sticks?

(Updated by Endah)
EurosHere’s one quick way to rob a bank, over and over again.
Find an ATM running Windows XP. Skeptical? Don’t be, they’re still installed all around the world. Next, cut a piece from its chassis to expose its USB port. On your own USB stick, you’ll have malware stored that will load the moment you force the ATM to reboot, rewriting the old operating system’s registry.
From that point, it’s easy. Replace the cut-out chassis piece. Wait a day or two until the ATM is reloaded with cash. Then step right up, use the hidden menu you’ve installed to cut the machine’s network connection, extract its cash and wipe your tracks completely.

Easy enough? A pair of German security researchers speaking at the Chaos Communication Congress (CCC) demonstrated precisely this system on Friday, reconstructed from malware discovered in the wild on an undisclosed number of ATMs.

It’s hardly a new vector of attack. Indeed, ATMs have been vulnerable to high-tech theft for years. What was striking, the researchers said, was that so many banks were still using such old, vulnerable technology, leaving themselves open to increasingly sophisticated high-tech criminal groups
The researchers – who asked that their names be withheld, citing concerns about revealing their identities to a criminal organization – said they had been contacted earlier this year after the malware was found, and asked if they could recreate its functions or discover how the hack had taken place.
Provided with an infected image from an infected machine, the pair spent considerable time reconstructing the features of the malware. As demonstrated here at the CCC, it allowed an attacker to enter a code into an infected ATM and bring up a menu giving direct manual access to the machine’s money-dispensing functions.
Along with recreating the malware itself, the team conducted a forensic analysis offering some additional insight into the as-yet-unidentified group responsible. Creation of the code would have required a large team with varied programming skills, they said. A fairly significant amount of time and money had almost certainly been invested in the project.

“For sure, they had to have a profound knowledge of ATMs,” said “S,” one member of the research team. “Most likely they actually had one to test. Either they stole one and reverse engineered the cash client, or most likely, they had someone on the inside.”

The code was clean and written in a sophisticated style, and had clearly gone through several generations of improvements, they said. The malware’s programmers had created hurdles to forensic analysis, trying to cover their tracks, but had clearly not been entirely successful in this regard.
As researchers working solely with the malware itself, the team said they had no clear sense of how widespread the attack had been. The malware they had worked with had been written specifically for a single bank’s cash-delivery software. But virtually any such software running on an unprotected Windows XP-based system would conceivably be vulnerable, they said.

The malware evidently had at least the theoretical capability to intercept information such as customer PIN numbers or account data. However, it did not do so, the researchers said. Rather, it was designed primarily for the immediate extraction of cash.

Since the discovery of the attack, some banks have implemented upgrades preventing their teller machines from booting directly from a USB port. However, given the vast number of ATMs worldwide, and the tendency for such fixes to filter relatively slowly from advanced to developing counties, the number of vulnerable machines will likely remain large for some time to come, the team said.
“I’m not sure this is the end attack, or the end game,” said “S.” “We’ll probably see this kind of malware on another bank, in another city, on another continent.”

The team did not disclose which bank had been affected, or which country or countries the malware had been discovered in. Revealing the means of attack was itself controversial, they said, but should ultimately help make ATMs more secure.

“It’s no use keeping vulnerabilities secret,” said “T”, the second member of the research team. “They should be talked about openly, so they can be fixed.”