Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Live in the ATM Trenches

In 2016 Kaspersky Lab employees participated in incident response cases that took place in dozens of financial institutions around the globe. In most cases we had to provide forensics analysis of ATMs. When Carbanak attack details were announced at #TheSAS2015, criminals also found this information useful. Other criminal groups eagerly adopted the same TTPs. Banks started to suffer from attacks on ATMs including both, malware and physical access.
These are:
• Direct attacks on the peripherals and low-level hardware protocols
• Hacker movie-style hardware drops in bank offices
• Carbanak-like software attacks on ATM software layer
• Bluetooth HID dongles implanted in ATMs instead of black boxes
We will provide details about each of these cases and present a cheap and simple hardware design that (when applied with a bit of physical labor) can empty one of the most popular ATM models in the world.

  • Login to see the comments

  • Be the first to like this

Live in the ATM Trenches

  1. 1. Live  in  the  ATM  trenches Sergey  (k1k)  Golovanov Igor  (igosha)  Soumenkov Electrical  engineers   Kaspersky  Lab
  2. 2. AGENDA Drilling Bl@ckb0x_m@g1c ATMitch Security  Analyst  Summit  2017
  3. 3. ATMITCH
  4. 4. Fileless attacks  against  enterprise  networks.   By  GReAT on  February  8,  2017.
  5. 5. ORIGINAL  REQUEST  FROM  A  BANK  ABOUT  ATM 1. Empty  cassettes   2. No  samples 3. Nothing  in  logs 4. C:WindowsTempkl.txt found 5. The  main  question:  is  KL  involed? Security  Analyst  Summit  2017
  6. 6. Dates KL.TXT  file  content  photo  from  empty  ATM
  7. 7. ACTION  STEPS 1. Create  YARA rule  on 2.      Wait… Security  Analyst  Summit  2017
  8. 8. ATMITCH  IN  ACTION ECHO  O  -­ open  dispenser ECHO  I  – initialization   ECHO  D  6  1  -­ dispense  1  note  from   cassette  6 RUNDLL  MALWARE CATCH  SOME  MONEY...
  9. 9. SUMMARY 1.Sample  works  with  MSXFS.DLL 2.It  was  installed  from  a  bank  (no  files) 3.There  were  some  speculations   about  fileless malware  for  ATM.  It  is   not  TRUE.  Whitelisting  will  block  it. Security  Analyst  Summit  2017
  10. 10. BL@CKB0X_M@G1C
  11. 11. STEPS 1.  Bank  requested  forensics  research  of  ATM 2.  Blackbox attack  in  far-­far  away  city 3.  No  CCTV  cuz attacker  placed  stickers  on  cameras 4.  No  logs  about  opening  of  service  zone 6.  Transport  ATM  to  HQ 7.  Investigate  hardware  on  ATM ?Security  Analyst  Summit  2017
  12. 12. DISCOVERY   Security  Analyst  Summit  2017
  13. 13. ATTACKER’S  STEPS 1.Plug  USB-­Bluetooth  dongle  to  ATM 2.Pair  it  with  wireless  keyboard 3.Wait  for  3  months   4.Turn  on  keyboard  near  ATM 5.Reboot ATM 6.Boot  in  ATMDesk 7.Dispense  some  money Security  Analyst  Summit  2017
  15. 15. 1.Construction  worker  was  drilling  ATM  near   banks’  office 2.He  was  noticed  by  a  police  patrol  in  a  middle   of  a  day 3.He  started  to  run  and  destroy  evidence 4.He  was  tearing  some  cables,  breaking  down   his  laptop  and  some  small  box 5.After  arrest  he  didn't  say  a  word BANK  REQUEST  FOR  ASSISTANCE Security  Analyst  Summit  2017
  16. 16. Source:  Analyst  Summit  2017 Hole
  17. 17. Source:­development/cerber-­ndc-­lock/#servicesSecurity  Analyst  Summit  2017 Cables
  18. 18. Source:­development/cerber-­ndc-­lock/#servicesSecurity  Analyst  Summit  2017 Later:  several  cases  in  EU
  19. 19. MAIN  QUESTION  TO  EXPERTS WTF  was  he  doing?!! Security  Analyst  Summit  2017
  20. 20. SDC  Bus
  21. 21. CHALLENGES 1. RS485 2. 9-­bits 3. Port  speed 4. Encryption   5. Protocol You  will  make  it,  right? Security  Analyst  Summit  2017
  22. 22. OUR  LAB  FOR  5  WEEKS
  23. 23. Challenge:  find  a  bus  speed
  24. 24. Security  Analyst  Summit  2017 LOGIC  ANALYSER
  25. 25. SDC  BUS  STREAM
  26. 26. Security  Analyst  Summit  2017 Every  device  has  an  address   Decrypted  codes  for  dispensing  are  hidden  in  equation
  27. 27. 0x0C0 Wait for a big request and reply first with inject in response: 0x0C1 0x001 0x0AA PAUSE 0x189 0x0F7 GIVE ME THE MONEY! SDC  BUS  STREAM  INJECTION
  28. 28. Development
  29. 29. Teamwork
  30. 30. Testing
  31. 31. We were able to reproduce attack with all seized items from construction worker
  33. 33. Security  Analyst  Summit  2017 Chill  out…
  34. 34. Sergey (k1k) Golovanov Igor (igosha) Soumenkov Electrical engineers Kaspersky Lab Thank  you!