5. ATM Attacks
Hacker’s How To Guide
In analyzing the connections, the technicians discovered malware and
content that should not have been there, and they concluded that the
server was the likely network endpoint exploited by the hackers.
They found there had been irregularities in the connection between the
voice recording server in London and the bank's internal network and the
ATM machines in Taiwan.
The bureau said that because First Bank's computer system is a closed
network, it suspected that an international ring had hacked into the
computer system of the bank's London branch and then obtained the
account number of the ATM computer system's administrator, giving the
ring access to the internal network
After the arrival of the 10 foreign suspects, they used Google Maps to
pinpoint the coordinates of the bank branches with the targeted ATMs,
police said.
They then used the software What's App to report the serial number of
the ATM machine they were about to rob to the plan's mastermind in
Moscow. That individual then locked on to the machine and used the
malware to get the ATMs to "spit" out bills, police have said.
In July last year, three Eastern European men have been jailed in Taiwan over
the theft of $2.6m (£2.1m) from cash machines around the island.
6. Case Note:
First Bank's computer system
is a closed network, it
suspected that an international
ring had hacked into the
computer system of the bank's
London branch and then obtained
the account number of the ATM
computer system's
administrator, giving the ring
access to the internal network
7. August 1 and 8, 2016 – Government Bank in Thailand has been stole money from 21
ATMs across many provinces.
The hackers made over 12.29 Million Thailand Baht (US$346,000) by inserting
cards installed with malware into multiple ATMs to spew out cash, up to 40,000
Baht each transaction.
8. Case Note:
The malware is installed
through the EMV chip on the
bank card.
The ATM goes offline, so the
bank will only see a
malfunction.
This type of attack is called
“jackpotting”, as it will empty
the cash that is in the machine
by bypassing authentication (so
no bank account is associated
or debited).
10. The researchers aren’t entirely clear who’s behind the attacks but like
they did in February, acknowledged that some of the group’s tactics,
techniques, and procedures, or TTPs, bear a resemblance to methods used by
the groups GCMAN and Carbanak
11. Case Note:
In February that attackers managed to hit 140 enterprises, including banks,
telecoms, and government organizations, with the fileless malware. The
attackers already had remote access to the bank’s networks through the malware
(stage1), but once they were inside, they dropped another piece of malware
called ATMitch (stage2) on some bank ATMs that gave them the ability to;
dispense money, “at any time, at the touch of a button.
Once remotely installed and executed via Remote Desktop Connection (RDP)
access to the ATM from within the bank, the malware looks for the “command.txt”
file that should be located in the same directory as the malware and created by
the attacker. If found, the malware reads the one character content from the
file and executes the respective command:
‘O’ – Open dispenser
‘D’ – Dispense
‘I’ – Init XFS
‘U’ – Unlock XFS
‘S’ – Setup
‘E’ – Exit
‘G’ – Get Dispenser id
‘L’ – Set Dispenser id
‘C’ – Cancel
After execution, ATMitch writes the results of this command to the log file and
removes “command.txt” from the ATM’s hard drive.
The method was a complete mystery, and the only clues left behind were files
containing a single line of English text: "Take the money, bitch."
It was fast and furious, and if not for the surveillance cameras that captured
the heist in action, two banks in Russia would never have known what occurred
last year when eight of their ATMs were drained of cash—nearly a million
dollars worth of rubles in a single night.
20. Al Quds Bank for Development and Investment vulnerable to FUZZBUNCH’s NSA exploit Framework (MS17-010)
21. 4 FWs, 2
Mgmt
2 Mgmt
Devices
9 SAA
Servers
JEEPFLEA_MARKET
Frontend:
Regained access to employee network. (Currently
have 8 CODE’s and one UR)
Plans to install ZESTYLEAK on VPN Firewalls in the
production network as well as find means of
triggerable access.
Middleware: 2 Management Servers
Backend: Collection on 9 SAA Servers
• Target: EastNets
• Country: Dubai,
Belgium, Egypt
• Quad: 2
• Collection
• 9 SAAs
• Admins
TOP SECRET//SI//NOFORN
22. TOP SECRET//SI//NOFORN
Management Servers
ENSBDMGMT1
ENSBDMGMT2
Tadhamo
Ongoing collection on 9
SAA Servers
4 Shared, multi-bank
SAA servers
Noor Islamic Bank Tadhamon International
Islamic Bank
Arcapita BankKuwait Fund for Arab Economic
Development
Al Quds Bank for
Development &
Investment
ASA Firewall
Central to all Production
Subnets
4 VPN Firewalls
LEGEND
Front End
Middleware
Back End
UR
UR
BARGLEE
23. No access
at this time
No access
at this time
No access
at this time
JEEPFLEA_POWDER
Frontend: Working on targeting Admin boxes using
SECONDDATE and IRONVIPER
Middleware: None at this time
Backend : Future backend will be SAA servers
• Target: BCG
• Country: Venezuela and
Panama
• Quad: 1
• Collection
• None at this time
TOP SECRET//SI//NOFORN
Plans for Initial Access:
24.
25.
26. Case Note:
A SWIFT Service Bureau, is the kind-of the equivalent of the Cloud for Banks
when it comes to their SWIFT transactions and messages, the banks transactions
are hosted and managed by the SWIFT Service Bureau via an Oracle Database and
the SWIFT Softwares. This is why we see that many of those Service Bureau also
offer KYC, Compliance, Anti-Laundering services since they have access to all
those transactions as their are the hosting entity for the SWIFT Alliance
Access (SAA) of their clients.
EastNets As a Certified SWIFT Service Bureau EastNets provides many services
related to SWIFT transaction such as compliance, KYC, anti money laundering
etc. BCG Business Computer Group is the LatAm strategic partner of EastNets
serving Panama and Venezuela.
JEEPFLEA is part of the snowden’s codelist.
It’s very valuable for an attack to know the relationship between Front-
End/Middleware/Backend interfaces. Remember, CISCO had to release an emergency
patches for ASA Firewalls last year in emergency after the initial
ShadowBrokers exploit releases if EPICBANANA and EXTRABACON.
Al Quds Bank for Development and Investment, a Bank based in Ramallah,
Palestine as a target—its host was running Windows 2008 R2 which is vulnerable
to the exploits catalog of the exploit framework FUZZBUNCH.(document got written (2013)
30. It's worth mentioning here that Lazarus used other false flags in conjunction
with this Russian exploit code. They also used some Russian words in one of
the backdoors and packed the malware with a commercial protector (Enigma)
developed by a Russian author. However, the Russian words in the backdoor
looked like a very cheap imitation, because every native Russian speaking
software developer quickly noticed how odd these commands were.
32. Vendors such as SWIFT and
Oracle should use protected
process features
Bangladesh Bank heist was also
due to a 2-bytes patch in
liborabdb.dll
Prevent random memory
injection into a process from
another user-land process
anything else?
33. Why Are Hackers Winning The Security Game?
On the Internet, attack is
easier than defense. There are
a bunch of reasons for this,
but primarily it's
the complexity of modern
networked computer systems
the attacker's ability to
choose the time and method of
the attack versus the
defender's necessity to secure
against every type of attack
Bruce Schneier
34. What Does A CISO Do?
At least 85 per cent of the targeted cyber-intrusions
it responds to could be mitigated by four basic
strategies.
Use application whitelisting to help prevent
malicious software and unapproved programs from
running
Patch applications such as Java, PDF viewers, Flash,
web browsers and Microsoft Office
Patch operating system vulnerabilities
Restrict administrative privileges to operating
systems and applications, based on user duties
Australian Government Department of Defence
35. References
Martijn van der Heide, ThaiCERT
VISA Payment Fraud Disruption Technical Analysis
@x0rz, @msuiche, @ShadowBrokers, @EquationGroup,
@Kaspersky Lab.