Jackpotting Attacks Are Back - But Banks Can Fight Back

ATM jackpotting is a cybercriminal technique that uses malware to make an ATM dispense large sums of cash without using a credit or debit card, fully bypassing the transaction authorisation processes. 

It has caused huge economical losses to ATM operators worldwide over the past decade, and very recently, in February 2023, the cybersecurity community has been alerted of a new variant of ATM jackpotting malware, called FiXS, that has infected ATMs in Mexico.

FiXS is a new piece of malware, however the techniques and tactics that it uses very much ressemble the ones used by other ATM malware families like Ploutus, Tyupkin, Alice, Ripper, and Cobalt. 

While only detected in Mexico so far, the appearance of FiXS does mean ATM operators need to renew their efforts to prevent these attacks, which are extremely sophisticated. What makes FiXS particularly lethal is its ability to infect multiple ATM vendors and models, thanks to its interaction with the XFS (eXtended Financial Services) middleware, which controls the ATM hardware, including the cash dispenser.

FiXS is packaged in a dropper that masquerades as a common system executable, conhost.exe. The dropper embeds the malware (FiXS.exe), which is extracted and copied to the ATM File System. Using the MSXFS.dll library, the malware can interact with the XFS API and send commands to the ATM hardware like the dispenser. Interaction with FiXS is done via a connected keyboard, which launches the malware GUI to allow the attacker to display information of the cash units and to send dispensing commands.

Understanding The Attack Process – From Infection To Cash Out 

To successfully launch an ATM jackpotting attack, there are four phases from preparation to execution. The attacker first steals a hard disk from a production ATM containing the software stack used by the financial institution to analyse and reverse engineer it to prepare a targeted attack. A full R&D process is conducted, including the development, packaging, and testing of a new malware such as FiXS.

At this point the targeted malware is ready to infect ATMs or ASSTs that are loaded with cash.

This is accomplished by physically accessing the device and manipulating it to copy the malware with the help of external keyboards and USB sticks. The attackers need to make the infection persist in time, which can be achieved by replacing legitimate system executables or by setting autorun keys at startup time.  The persistent malware will then run silently waiting for an activation code. Finally, the attacker activates the malware by entering a code that wakes it up and launches a GUI to dispense cash, which is picked up by the gang. 

Some believe that ATMs running outdated and unsupported operating systems, like Windows XP or Windows 7, are more vulnerable. However, ATM malware like FiXS is highly targeted and does not exploit operating system vulnerabilities but rather design flaws of the ATM software stack, like the lack of authentication in the XFS layer.

While migrating to Windows 10 and keeping patches updated is a good practice, ATMs running  Windows 10 are as vulnerable as the ones running Windows 7 or XP.

The Right Cybersecurity Approach To Protect ATMs

Every organisation operating an ATM network is a potential target for jackpotting attacks, making robust and efficient cybersecurity countermeasures essential. However, the physical accessibility of ATMs and the lack of proactive update policies create an inherently vulnerable environment that makes ATM devices challenging to protect with traditional security technologies.

The Zero Trust protection model assumes that the infrastructure managing ATM and ASST devices will be compromised, and enforces the principle of “never trust, always verify” to prevent ATM jackpotting and other attacks. Zero Trust is based on the drastic reduction of the attack surface and a tight control of hardware and software changes in the ATM.

To design a robust Zero Trust ATM and ASST protection model, it is essential to identify the most critical points. Access to software, hardware, and communications must be continuously verified, only granting access to the minimum set of resources that are legitimate and required for the proper functioning of the device. In addition to that, hardware changes, made by third-party companies with physical access to the ATM, should only be possible in authorised time periods, where a specific security policy that allows modifications is applied. These changes are also subject to total monitoring of technical operations and explicit authorisation.

An effective way to secure ATMs, ASSTs, and other critical devices could be by implementing Lookwise Device Manager (LDM), Auriga’s solution that provides comprehensive layered protection to ATMs at all stages of the attack life-cycle, ensuring full availability of services for customers. LDM is designed based on the knowledge of the ATM infrastructure and the tactics and techniques used by attackers, making it an effective way to secure these critical devices.

In conclusion, the latest ATM jackpotting attack using FiXS shows that banks and other operators of ATMs must design a robust Zero Trust cybersecurity model to protect their ATM and ASST devices. The physical accessibility of ATMs, the lack of proactive update policies, and the critical nature of these devices create an inherently vulnerable environment that makes them difficult to protect with traditional security technologies.

Juan Ramon Aramendia is Head of Cybersecurity Product Engineering at Auriga

You Might Also Read: 

Does Your Business Require PCI DSS Compliance?:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

 

« Britain Pledges To Invest £2.5bn In Quantum Computing
Ferrari Hacked & Ransom Demanded »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

Vaddy

Vaddy

Vaddy provide an automatic web vulnerability scanner for DevOps that performs robust security checks to ensure that web app code is secure.

Center for Internet Security (CIS)

Center for Internet Security (CIS)

CIS is a nonprofit entity that harnesses the power of a global IT community to safeguard private and public organizations against cyber threats.

KPN Security

KPN Security

KPN Security is the largest and most complete provider of IT security services in the Netherlands.

NTOP

NTOP

NTOP develop high-quality network traffic analysis and DDoS protection software used by small individuals as well by large telecom operators.

Xcina Consulting (XCL)

Xcina Consulting (XCL)

Xcina Consulting provides high quality business and technology risk assurance and advisory services.

Berwick Partners

Berwick Partners

Berwick Partners’ Cyber Security Practice is a leading recruiter of senior management positions in this field; we have an exceptional understanding of the constantly changing Cyber landscape.

Applied Science and Technology Research Institute Company Limited (ASTRI)

Applied Science and Technology Research Institute Company Limited (ASTRI)

ASTRI's mission is to enhance Hong Kong’s competitiveness in technology-based industries through applied research in areas including Security & Data Sciences which encompasses cybersecurity.

Crayonic

Crayonic

Crayonic digital identity technologies protect and guarantee the identity of people and things.

neoEYED

neoEYED

neoEYED helps banks and fintech to detect and prevent frauds using a Behavioral AI that recognizes the users just by looking at “how” they interact with the applications.

CYOSS

CYOSS

CYOSS, an ESG Group company, is a specialist in Cyber Security and Data Analytics. We focus on the opportunities of a networked world and make security risks manageable.

Query.ai

Query.ai

At Query.AI, we are committed to helping companies unlock the power of their security data, so they are empowered to meet security investigation and response goals while simultaneously reducing costs.

Orbus Software

Orbus Software

Orbus develops, markets and sells enterprise software which helps large, blue chip and government organisations across the globe to achieve digital transformation outcomes.

Coralogix

Coralogix

Coralogix are rebuilding the path to observability using a real-time streaming analytics pipeline that provides monitoring, visualization, and alerting capabilities without the burden of indexing.

Silverse

Silverse

At Silverse, we specialize in building a comprehensive cybersecurity journey, anchored by our extensive experience, industry expertise, and an ecosystem of trusted partners.

COGITANDA Dataprotect

COGITANDA Dataprotect

COGITANDA are a group of companies focused on dealing with cyber risks, managing them and insuring them.

Clumio

Clumio

Clumio provides autonomous backup and recovery for critical cloud data.