A new ATM jackpotting variant is on the rise in Mexico. How can operators stop it?
Image via Adobe Stock
A recent report from the MetabaseQ cybersecurity company reveals a new ATM jackpotting malware variant, dubbed FIXS, infecting ATMs in Mexico.
ATM Jackpotting attacks use malware to steal large amounts of cash from an ATM without having to use a credit or debit card.
Identified in February 2023, FIXS uses techniques and tactics that are similar to those used by previous ATM malware families like Ploutus, Tyupkin, Alice, Ripper or Cobalt.
FIXS gets fraudolent access to the XFS (eXtended Financial Services) middleware, which controls the ATM hardware including the cash dispenser.
By connecting to the XFS layer, FIXS sends commands directly to the ATM dispenser to cash it out fully bypassing the transaction authorization process.
The usage of the XFS layer also turns FIXS into a multi-vendor malware with the ability to attack multiple ATM vendors and models.
FIXS is packaged in a dropper that masquerades as the name of a common system executable: conhost.exe. This dropper embeds the malware which is extracted and copied to the ATM File System on a hardcoded temporary directory: FIXS.exe.
FIXS.exe uses the MSXFS.dll library, which allows it to freely interact with the XFS API, therefore granting access to send commands to the ATM hardware like the dispenser. MSXFS.dll allows the malware to attack any ATM implementing the CEN-XFS standard, which makes it la multi-vendor malware.
Interaction with FIXS is done via a connected keyboard, which launches the malware GUI allowing the attacker to display information of the cash units and to send dispensing commands.
An ATM jackpotting attack is extremely sophisticated, uses in-depth knowledge of the software stack and the hardware setup of ATMs. The attack's life-cycle has four phases, from preparation to infection & persistence and final execution to achieve the cash-out. Physical accessibility to the ATM is a key factor for the attack.
Preparation: An attack starts with a cybercriminal stealing or acquiring a hard drive from a production ATM. This will contain the entire software stack used by the financial institution, which the attacker can analyze and reverse engineer it to prepare a targeted attack.
Infection: With their malware developed, the threat actor infects an ATM or ASST by physically accessing the device through external keyboards and USB sticks. Once the malware is inside the ATM, they can access access the operating system online and copying the malware; or use an offline method to boot from an external USB to then mount the ATM hard drive and copy the malware.
Persistence: It is important for the malware to be persistent so that it runs automatically at ATM startup. This is achieved by replacing legitimate system executables or by setting autorun at startup time. This way, the malware will run in the background waiting for an activation code and get full access to the XFS middleware to send commands to the dispenser.
Execution and clean up: Now the illegitimate extraction of cash can happen. Other threat actors, the so-called "money mules," physically access the ATM and enter an activation code that wakes up the malware by activating a graphical user interface (GUI). Other activation methods can be the pinpad itself, the use of counterfeit cards or even connecting a mobile device and receiving an SMS. Once the "refund" is complete, some malware complete a cleanup/uninstall mechanism to remove traces of the attack.
Some believe ATMs running outdated and unsupported operating systems like Windows XP or Windows 7 are more vulnerable.
While migrating to Windows 10 and keeping patches updated is essential, Windows 10 ATMs are as vulnerable as the ones running Windows 7 or XP.
ATM malware is highly targeted, and does not exploit operating system vulnerabilities, but rather design vulnerabilities of the ATM software stack, like the lack of authentication in the XFS layer.
Every organization operating an ATM network is a potential target for jackpotting attacks, making robust and efficient cybersecurity countermeasures essential.
The sentence "if it works, don't touch it" is especially relevant in a critical service environment like ATMs. Any edits or updates of the ATM software and hardware must always be done in a controlled manner.
However, the lack of proactive update policies, plus the physical accessibility of ATMs, creates an inherently vulnerable environment that makes ATM devices very difficult to protect with traditional security technologies.
It is essential to understand that these characteristics or limitations are an inherent part of the nature of these types of devices, for example 24x7 ease of use and accessibility. What we must do is define an appropriate security strategy for the environment we want to protect and turn the weaknesses into strengths.
"Zero Trust" assumes your infrastructure will be compromised, and the concept of "never trust, always verify" should be applied to prevent ATM jackpotting and other attacks on ATMs and ASSTs
The Zero Trust model makes suspicious assumptions about the vulnerability of the infrastructure that manages ATM and ASST devices, for example that the remote access system can be manipulated or the maintenance technician or the end user can be attackers.
Auriga advises the most critical points to design a robust Zero Trust ATM and ASST protection model are:
Mark Aldred is Vice President of Sales, International for Auriga.
Sign up now for the ATM Marketplace newsletter and get the top stories delivered straight to your inbox.
Privacy PolicySeptember 9-11, 2024 | Charlotte, NC
 | Copyright © 2024 Networld Media Group, LLC. All rights reserved. |
Already a member? Sign in below.
You may sign into this site using your login credentials
from any of these Networld Media Group sites:
