Two Soylentils submitted stories about recently-disclosed attacks against ATMs [Automated Teller Machines].
Self-Deleting Malware Makes ATMs Spit out Cash
Security researchers have uncovered one of the most sophisticated ATM heists to date, involving a group of cyber criminals specialized in hacking bank networks using fileless malware, and ATM malware that spits out cash and then self-deletes.
These ATM heists are the work of a group of hackers that's been active for years. Most recently, starting 2016, this group has switched to using legitimate Windows apps and fileless malware to hack into government agencies and banks in at least 40 countries.
Because those attacks used stealthy techniques that left a minimal footprint on infected servers, investigators weren't able to detect what the crooks were after. Nevertheless, they suspected the hackers stole data from infected systems, albeit they didn't know what data.
More clues about these attacks came to light only recently. Security researchers from Kaspersky Lab, the ones who identified the initial attacks this February, believe they uncovered the purpose of some of the bank hacks.
Source: Bleeping Computer
Attackers Physically Drilling Into ATMs to Steal Thousands of Dollars From Banks
Attackers are using drills to physically compromise ATMs so that they can steal thousands of dollars from the financial institutions operating them.
In the fall of 2016, a bank client revealed one of their ATMs that attackers had emptied to Kaspersky Lab. The only indication of physical tampering was a golf ball-sized hole someone had drilled into the machine next to the PIN pad. Law enforcement later arrested a suspect and found a laptop and cable in their possession.
These discoveries piqued the curiosity of Igor Soumenkov, a researcher at the Russian security firm. He said so at the company's annual Kaspersky Analyst Summit. As quoted by WIRED:
"We wanted to know: To what extent can you control the internals of the ATM with one drilled hole and one connected wire? It turns out we can do anything with it. The dispenser will obey and dispense money, and it can all be done with a very simple microcomputer."
To get to the bottom of Soumenkov's question, Kaspersky's researchers transported the same ATM model to their lab and removed the machine's front panel to look inside. They found a wire that connected all the ATM's components, from the user interface to the cash dispenser. From their subsequent analysis, they also identified only a weak XOR cipher and no suitable authentication protecting the communications exchanged between these components.
WIRED's Andy Greenberg puts this setup into perspective:
"In practical terms, that means any part of the ATM could essentially send commands to any other part, allowing an attacker to spoof commands to the dispenser, giving them the appearance of coming from the ATM's own trusted computer."
Source: Tripwire's "The State of Security" Blog
(Score: 4, Funny) by bob_super on Thursday April 06 2017, @02:15AM (1 child)
I was going to buy the biggest drill bit at Home Depot, but i don't have enough cash on me...
Curses! Foiled again!
(Score: 0) by Anonymous Coward on Thursday April 06 2017, @05:31AM
The hole needn't be big. The size of a Russian golf ball will do.
(Score: 0) by Anonymous Coward on Thursday April 06 2017, @02:21AM
> They found a wire that connected all the ATM's components, from the user interface to the cash dispenser.
For some reason this reminded me of an early Xerox copier/printer. It was a monster, about the size of washing machine & dryer side by side. When the front panel came off there were multiple computer boards inside, for scanner, printer, collater, etc. And all connected together by the old coax thick Ethernet cable, like this, https://en.wikipedia.org/wiki/10BASE5 [wikipedia.org]
I wonder if the wire in the ATM is just some variant of Ethernet or some other commercial short haul network.
(Score: 0) by Anonymous Coward on Thursday April 06 2017, @02:24AM (1 child)
They should have written the ATM software in Rust, it would be more secure!
(Score: 0) by Anonymous Coward on Thursday April 06 2017, @02:30AM
Nah. Windows 10 should lock it down... or lock it up... permanently.
(Score: 0) by Anonymous Coward on Thursday April 06 2017, @03:50AM
...drag the machine away and open it with a blowtorch [nbclosangeles.com] (do not attempt if British [dailymail.co.uk]).
(Score: 0) by Anonymous Coward on Thursday April 06 2017, @05:20AM (3 children)
Back in my youth when I was installing burglar alarms, one would occasionally encounter a situation where a system was required to be Underwriters' Lab-compliant.
(This was considerably more expensive that the standard setup.)
One thing that is required for the UL cert is to run 2 protective loops to everything.
If the "positive" loop gets shorted to the "negative" loop (e.g. somebody trying to cut a wire), the system goes into alarm (even if the system isn't armed).
This mechanism is sometimes useful for example as a "panic button".
A UL system requires a UL-listed bell (sirens aren't allowed) and a UL-listed bell box to be included.
A UL bell box has an outer layer (seriously thick steel) and an inner layer that is electrically isolated from the outer.
If you try to drill through the thing, your drill bit will short the outer (positive loop) to the inner (negative loop) and all hell will break loose.
I'm shocked that they don't have this kind of setup on the ATMs.
-- OriginalOwner_ [soylentnews.org]
(Score: 2) by MostCynical on Thursday April 06 2017, @05:55AM
Atms are already heavy, and expensive.
I'm also sure the insurance risk calculations for a "properly" secured box and a "cheaper", but not-as-secure box have been done - obviously they have decided "impregnable" is not worth it.
"I guess once you start doubting, there's no end to it." -Batou, Ghost in the Shell: Stand Alone Complex
(Score: 0) by Anonymous Coward on Thursday April 06 2017, @08:08AM (1 child)
I saw one of those mechanical bell-thingie alarm boxes defused by clever crooks.
They shot some sort of liquid yellow foam like "great stuff" [dow.com] through the vent holes and got under the bell mechanism with it. Then waited for it to harden.
The whole bell housing was flooded with yellow foam when the owner came back to his ransacked store and investigated why the bell wasn't ringing.
Well, it tried to.
He had that big bell assembly perched right where people could get to it, with big lettering "BURGLAR ALARM" on it.
Oh yes, they stole his TV camera, too!
Gee. I wish he had talked to me before the burglary.
(Score: 0) by Anonymous Coward on Thursday April 06 2017, @09:55AM
Yeah. That stuff was becoming available even decades ago when I was doing this stuff.
Anybody with the slightest bit of imagination had figured out the "defeat" method.
The bell box, however, is largely a distraction.
The longer you fart around with it, the greater chance that someone will notice something amiss.
...and these systems have central station reporting.
In my hometown way back then, these things were wired straight into the cop shop.
You may have silenced the noisemaker, but as soon as you breech the perimeter, the guys with badges and guns are alerted that you're up to no good.
-- OriginalOwner_ [soylentnews.org]
(Score: 0, Offtopic) by Rivenaleem on Thursday April 06 2017, @07:38AM (1 child)
You can't steal data! What these people did was take a copy. Data wants to be FREE!!!!
(Score: 0) by Anonymous Coward on Thursday April 06 2017, @09:05AM
Last I checked, the stuff spilled out by ATMs is physical objects, not data. Well, those physical objects do have data printed on it, like the value of that physical object, but trying to pay in a shop by just reading the data to the cashier tend not to be successful; they require you to hand over the physical item.
(Score: 1, Funny) by Anonymous Coward on Thursday April 06 2017, @08:19AM (2 children)
investigators weren't able to detect what the crooks were after.
Hmmm, I don't know… perhaps money?
(Score: 0) by Anonymous Coward on Thursday April 06 2017, @09:39AM (1 child)
Actually, they don't know what the crooks were after. It was not money, for fiat money does not exist. It is a piece of paper with some number written on it (and these days only a value in a spread sheet), and the signature and seal of somebody who was given the right to print money by traitors.
(Score: 2) by requerdanos on Thursday April 06 2017, @03:56PM
fiat money does not exist. It is a piece of paper with some number written on it (and these days only a value in a spread sheet), and the signature and seal of somebody who was given the right to print money by traitors.
Hear, hear; I'm totally with you.
Except...
the coins/pieces of paper exist... check.
they are divisible via denominations or similar... check.
the have agreed-upon value... check.
they can be readily exchanged... check.
they store that value to be saved and used later... check.
they provide a unit of account, providing a base for pricing... check.
... in other words, despite having little to no inherent value in its materials nor workmanship, fiat money is money [imf.org] by definition.
In the above link, the IMF admits that "Fiat money is materially worthless", but points out that it "has value... because a nation collectively agrees to ascribe a value to it."
And if I were running an ATM, I would be unhappy if someone found a way to target and arbitrarily remove its banknotes regardless of what they were specifically after.
(Score: 2) by requerdanos on Thursday April 06 2017, @03:47PM
Comment on TFA FWIW
a group of cyber criminals
As far as it means anything at all, the above phrase means "a group of people who are cybernetically enhanced [lifeboat.com] and who are also criminals."
The prefix "cyber" does not refer to script kiddies or crackers, even if they find practical applications for their malfeasance in making ATMs spit cash, which is admittedly pretty showy and effective.
Even if we admit that "cyberspace" is a thing, that isn't where the criminals exist, nor the ATMs. Cybernetics itself [pangaro.com] is simply the study of control and feedback.
That is all.