Something has gone wrong with our servers. It’s probably Matt’s fault.
We’ve just been notified of the problem.
Hopefully this should be fixed ASAP, so kindly reload in a few minutes and things should be back to normal.
Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/yHV2Uk8p1AI/
Something has gone wrong with our servers. It’s probably Matt’s fault.
We’ve just been notified of the problem.
Hopefully this should be fixed ASAP, so kindly reload in a few minutes and things should be back to normal.
Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/PRX6SDaUixo/
Something has gone wrong with our servers. It’s probably Matt’s fault.
We’ve just been notified of the problem.
Hopefully this should be fixed ASAP, so kindly reload in a few minutes and things should be back to normal.
Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/1oS10GHzBBI/
F-35 fighter jets are running so many different versions of their core software that a US government watchdog has warned of knock-on delays to flight tests.
Core software aboard the Mach 1.6 stealth jet is in such a state of disarray – with aircraft at different US military bases running different versions of it – that the US Department of Operational Test and Evaluation (DOTE) said planned future releases were being stripped of new features so developers could address the thousands of bug reports filed by pilots and engineers.
The software, identified by its Block number, has so far been through tens of iterations, with Block 3F – the latest version – having been through more than 30 versions by autumn last year.
“As of late October 2017, the program was preparing a second version of Block 3FR6.3 (3FR6.32), the 31st version of Block 3F, software as it continues work to resolve key remaining deficiencies,” said DOTE in its annual report, which was published late last week. “The [F-35] program is using test point data from older versions of software to sign off capability specifications and justify baseline test point deletions, even though the old data may no longer be representative of the latest version of Block 3F software.”
The DOTE report continued: “The ‘final’ Block 3FR6.3 software for SDD was released in October 2017, but this planned final version has already been superseded by two additional software updates; more software patches will likely be needed as the program continues to work ongoing problems with weapons and avionics.”
Britain’s 14 F-35Bs are all thought to be running Block 3F software of various sub-versions. Yet the all-singing, all-dancing jet still can’t talk to its guided air-to-ground bombs properly, even with the latest patches installed.
“For Block 3F, the pilot is now able to see what coordinates are sent to the bomb, but is still not able to see what coordinates are actually loaded in the bomb,” noted DOTE. “The [US] Services are assessing if this correction meets the requirements directed by the rules of engagement in specific areas of operation.”
Even more worryingly, trials identified that the AIM-120 AMRAAM missile, which the Royal Air Force and Royal Navy intend to use as the F-35B’s main air-to-air weapon, cannot currently be used to its full potential by the supersonic stealth jet. After six test firings in simulated combat scenarios, test pilots identified “key technical deficiencies in the ability of the F-35 to employ the AIM-120 weapons”.
The precise nature of those deficiencies was classified. Britain first bought the AMRAAM for the 1980s vintage Harrier jump-jet. It is currently carried by the Eurofighter Typhoon.
Even the jet’s inability to communicate with its unique “portable memory devices” (which are not USB sticks) at a reasonable speed caused problems, with DOTE reporting: “Pilots frequently chose to manually enter mission planning data in the cockpit, versus using the Offboard Mission Support workstation, due to the excessive time required to transfer the data from the Portable Memory Device to the aircraft.” Despite efforts to speed this up with “updated transfer devices,” said DOTE, “Portable Memory Device loading still takes too long and is often problematic.”
The PMDs are made by Smiths Aerospace, a British subsidiary of General Electric’s Aviation division. Flight Global reported in 2014 that the data transfer took about quarter of an hour, at the time.
Meanwhile, crucial mission data loads (MDLs), software packages necessary for the F-35 to operate its sensors and weapons, have been subject to an “extended timeline … due to ongoing delays with Block 3F and the program’s failure to provide the necessary equipment and adequate software tools for the U.S. Reprogramming Laboratory (USRL),” said DOTE.
The USRL is the American government body charged with writing all the MDLs.
On the bright side, the Autonomous Logistics Information System (ALIS) bundled with the F-35 is now running on Internet Explorer 11, after techies “completed development of ALIS 2.0.2.5 in late CY17 to address some of the existing deficiencies and usability problems.”
As we previously reported, ALIS tracks every single component on the aircraft and appears to be the ultimate vendor lock-in software package. Even this good news, however, came with a sting in the tail from DOTE: “ALIS version 3.0 is necessary to provide full combat capability… The program deferred to ALIS 4.0 capabilities previously designated for ALIS 3.0. ALIS 4.0 is scheduled for release in late 2018, but this schedule is high risk.”
DOTE also noted that product testing of ALIS relied too heavily on lab simulations, and when “fleet personnel” got their hands on it, they “used ALIS in ways that laboratory testers did not”.
Problems with F-35 testing are not only confined to software, however. An F-35B (the same model as the UK is buying for its Queen Elizabeth-class aircraft carriers) used for ground testing “is unable to start third-life structural testing due to the extensive repairs that were required to complete the second-life testing,” halting ground tests completely.
In addition, another F-35B used for flight tests had to have “unique horizontal tail thermal barrier coatings” applied so it could be flown in full afterburner for long enough to “collect necessary strain load data”, while other F-35Bs in flight sciences testing developed cracks which “delayed testing”. The F-35B is designed for a service life of 8,000 hours, but with ground testing halted, DOTE warned that “the effect of the discoveries and failures during testing on the service life certification… may [result in it being] less than the planned 8,000 hours designed for all variants, even with extensive modifications to strengthen the aircraft.”
Under its Block 3F software, the F-35 is designed to reach a speed of 630kts and pull a maximum of 7G.
The F-35’s core software is written in C++ and runs on commercial off-the-shelf PowerPC architecture processors. The operating system is Green Hill Software’s Integrity DO-178B real-time OS, as used in a number of (mostly American) aircraft, both civil and military. The F-35’s processors are bundled into an “electronic brain” called the Integrated Core Processor (ICP), according to an article from Avionics magazine, which said: “Packaged in two racks, with 23 and eight slots, respectively, this computer consolidates functions previously managed by separate mission and weapons computers, and dedicated signal processors.”
Each ICP is said to comprise:
Firewire ports are used to “link the ICP, display management computer and the CNI system to the vehicle management system.”
The woes of a large government software project will be familiar to many Register readers. However, the extended timescale of the F-35 project – it has been flying since the beginning of this decade – raises questions as to whether the UK is spending its money wisely on this project. Each of Britain’s future F-35Bs will cost us around £90m at current prices – and that price excludes spares, software updates, and so on.
So far Britain has committed to buying 48 F-35Bs, of which we currently have 14 on charge. In total the UK plans to buy 138 jets, and a fag-packet sum tells us that is a planned spend of £12bn. If you lump in the support costs, that will probably treble the spend over the aircraft’s lifetime.
The DOTE report tells us that software problems are piling up, delaying flight testing. As the Royal Navy has publicly declared that the F-35 will “achieve initial operational capability” this year, which El Reg thinks will mean December. IOC means, in plain English, “if a war broke out tomorrow we could send this into combat but it can’t yet do everything we want”.
If any further delays of the type that DOTE identified last year occur again this year, we could see delays to Britain’s plans of having a ready-to-fight squadron of jets. And that would mean money being spent on the F-35 would, in part, be money wasted. ®
Sponsored:
Minds Mastering Machines – Call for papers now open
Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/01/30/f35_dote_report_software_snafus/
A programming slip in Cisco VPN software has created a critical vulnerability hitting ten different Adaptive Security Appliance and Firepower Threat Defense Software products.
The bug scores a perfect ten CVSS rating and is present in the products’ SSL VPN functionality. That’s bad news because if you’re using the VPN, the interface has to be exposed to the Internet. If you’re lucky, an attacker might just trigger a reload and denial-of-service attack.
From Switchzilla’s advisory: “The vulnerability is due to an attempt to double free a region of memory when the webvpn feature is enabled on the Cisco ASA device. An attacker could exploit this vulnerability by sending multiple, crafted XML packets to a webvpn-configured interface on the affected system.”
The problem affects the 3000 series industrial firewall, the ASA 5500 and 5500-X firewalls, a firewall module for Catalyst 6500 switches and 7600 Series routers, the virtual ASA 1000V and ASAv products, three Firepower appliances (2100, 4110, and the 9300 ASA module), and the Firepower Thread Defense (FTD) Software.
The bug was introduced in Firepower Threat Defense 6.2.2, which introduced the remote access VPN feature, Cisco said. FTD 6.2.2 was released in September last year.
Fixes for both the Adaptive Security Appliance software and Firepower Threat Defense software are available – if you have a Cisco service contract, or your reseller can provide the patches. If not, you’ll have to ask the Cisco Technical Assistance Center really nicely. ®
Sponsored:
Minds Mastering Machines – Call for papers now open
Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/01/30/cisco_asa_and_firepower_cvss_10_0_bug_patch_asap/
Cash machines in the US are being hacked to spew hundreds of dollar bills – a type of theft dubbed “jackpotting” because the ATMs look like slot machines paying out winnings.
A gang of miscreants have managed to steal more than $1m from ATMs using this attack, according to a senior US Secret Service official speaking to Reuters on Monday.
Typically, crooks inject malware into an ATM to make it rapidly dole out large sums of money that doesn’t belong to the thieves. Anyone aware of the work by security researcher Barnaby Jack – who almost 10 years ago revealed various ways to force cash machines to cough up cash on demand – will know of jackpotting.
According to an alert [PDF] issued by ATM maker manufacturers Diebold Nixdorf this month, obtained by cybersecurity sleuth Brian Krebs, organized crooks are using the Windows malware Ploutus-D to compromise machines, with the Opteva 500 and 700 series machines being particularly vulnerable. This software nasty was associated with a jackpotting spree that hit Latin America last year, as infosec biz FireEye reported at the time.
Since 2013, if not earlier, Ploutus has been a favorite of Mexican banditos raiding cash machines, as previous Reg stories document. Viewed from this perspective, the main surprise today is that it’s taken so long for the scam to surface north of the border, moving from Mexico to the United States.
To get Ploutus into an ATM, the crooks have to gain physical access to the box’s internals to swap its computer hard drive for an infected one. Once the disk is in place and the ATM rebooted, the villains have full control over the device, allowing them to order it to dispense the contents of its cartridges of dollar bills.
Thus, Diebold Nixdorf recommends physical security is stepped up for each cash machine – particularly ones placed in big stores, pharmacies and drive-thrus, all of which crooks seem to prefer to tamper with. Also, tightening the security configuration of the firmware is recommended.
Meanwhile, ATM maker NCR also warned of similar jackpotting attacks against its models.
Leigh-Anne Galloway, cyber security resilience lead at Positive.com and a banking tech expert with experience in analyzing the security of ATMs, said would-be thieves seem to have picked a difficult approach towards reaching their objective.
“What is interesting about these attacks is that they require considerable physical access to the ATM itself, meaning that there is a high risk of getting caught, and there are far less complex attack vectors that could have been chosen,” Galloway said. “In other words, it’s very surprising the method that these criminals have come up with.
“This attack vector involves replacing the boot media – the hard drive – of the ATM and bypassing security controls between the media and the dispenser itself, using an endoscope to press a button to reset the dispenser communication.”
Galloway offered suggestion on how US financial institutions might defend against potential attack. “The attack can mostly be mitigated by limiting physical access to the ATM, the service area, and requiring physical authentication by maintainers,” she advised. ®
Sponsored:
Minds Mastering Machines – Call for papers now open
Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/01/30/atm_jackpotting_us/
Two security researchers have demonstrated an attack on Active Directory attack that let them insert their own domain controller into an existing enterprise setup.
France-based duo Benjamin Delpy, a contributor to Mimikatz, and Vincent Le Toux took their attack, dubbed DCShadow, to Microsoft’s Blue Hat conference in Israel last week.
DCShadow allows an attacker to create a rogue domain controller in an Active Directory environment, and use it to push malicious objects.
How? Le Toux tweeted a summary:
For those you want the magic explained, #DCShadow is using DrsReplicaAdd (DRSR 4.1.19.2) to trigger a replication.
It modifies the replTo attribute of a DC and triggers and immediate replication.
ReplicaSync doesn’t trigger a replication (cc:@gentilkiwi) because replTo is not set pic.twitter.com/ZxKNhYBZfQ— Vincent Le Toux (@mysmartlogon) January 29, 2018
The presentation (PDF) was unpicked in more detail by Lu Delsalle, a security researcher who specialises in Active Directory, here.
Delsalle explained: “The idea of a rogue domain controller is not new and has been mentioned multiple times in previous security publications but required invasive techniques (like installing a virtual machine with Windows Server) and to log on a regular domain controller (DC) to promote the VM into a DC for the targeted domain”.
That’s easily spotted, so Delsalle wrote that the attack described by Delpy and Le Toux has to “modify the targeted AD infrastructure database to authorise the rogue server to be part of the replication process”.
He continued: “the main action made by the ‘DCShadow’ attack is to create a new server and nTDSDSA objects in the Configuration partition of the schema”. nTDSDSA objects are described by Microsoft as the replication agent responsible for processing the Directory Replication Service protocol.
That change happens in a privileged environment, though, so the attack needs a way around controls on creating servers and initiating replications. Delsalle explains that Delpy and Le Toux were able to “isolate the minimum set of SPNs required for the replication process to go through. The results of their studies show that two SPNs are required to let another DC to connect to the rogue server” – these being the DRS service class (which has the well-known GUID E3514235–4B06–11D1-AB04–00C04FC2DCD2), and the Global Catalog service class (which has the string “GC”).
From there, the attackers registered a domain controller into the replication environment, and had it authenticated by another domain controller.
The final step is to force a last replication step, with the IDL_DRSReplicaAdd RPC, allowing the attacker to add backdoors into the domain “by adding new member on an administrative group, or by setting SID history on a controlled user account for example)”.
Le Toux noted in a tweet that the attack can be defeated… *reg;
Great article explaining the #DCShadow attack.
Fixes:
– the ntdsa object is removed after the push – detecting its presence is not reliable
– replication is not triggered by KCC but by modification of replTo
– the DC SPN is set by AddEntry (4.1.1.2.3 CreateNtdsDsa) @gentilkiwi https://t.co/k20rZB7AUA— Vincent Le Toux (@mysmartlogon) January 29, 2018
Sponsored:
Minds Mastering Machines – Call for papers now open
Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/01/30/dcshadow_active_directory_attack/
Intel warned Chinese firms about its infamous Meltdown and Spectre processor vulnerabilities before informing the US government, it has emerged.
Select big customers – including Lenovo and Alibaba – learned of the design blunders some time before Uncle Sam and smaller cloud computing suppliers, The Wall Street Journal reports, citing unnamed people familiar with the matter and some of the companies involved.
The disclosure timeline raises the possibility that elements of the Chinese government may have known about the vulnerabilities before US tech giant Intel disclosed then to the American government and the public.
The Meltdown and Spectre chip flaws were first identified by a member of Google’s Project Zero security team shortly before they were independently uncovered and reported by other teams of security researchers. “Intel had planned to make the discovery public on Jan. 9… but sped up its timetable when the news became widely known on Jan. 3, a day after U.K. website The Register wrote about the flaws,” the WSJ reports.
Intel worked on addressing the vulnerabilities with security researchers at Google and other teams that uncovered the processor vulnerabilities as well as PC makers – specifically, the larger OEMs – and cloud-computing firms. Those informed included Lenovo, Microsoft, Amazon and Arm.
The WSJ omits any mention of when notification was made to Lenovo et al, but a leaked memo from Intel to computer makers suggests that notification of the problem for at least one group of as-yet unnamed OEMs took place on November 29 via a non-disclosure agreement, as previously reported.
Lenovo was quick out the gate on January 3 with a statement advising customers about the vulnerabilities because of work it had done “ahead of that date with industry processor and operating system partners.”
Alibaba Group, China’s top provider of cloud services, was also notified ahead of time, according to a “person familiar with the company.” An Alibaba spokesperson told the WSJ that the notion the company may have shared threat intelligence with the Chinese government was “speculative and baseless”. Lenovo said Intel’s information was protected by a non-disclosure agreement.
It is a “near certainty” that Beijing was aware of information exchanged between Intel and its Chinese tech partners because local authorities routinely monitor all such communications, said Jake Williams, president of security firm Rendition Infosec and a former National Security Agency staffer.
An official at the US Department of Homeland Security, which runs US CERT, said it only learned of the processor vulnerabilities from early news reports. “We certainly would have liked to have been notified of this,” they added.
Rob Joyce, the White House’s top cybersecurity official, publicly claimed the NSA was similarly unaware of what became known as the Meltdown and Spectre flaws.
Because they had early warning, Microsoft, Google and Amazon were able to roll out protections for their cloud-computing customers before details of Meltdown and Spectre became public. This was important because Meltdown – which allows malware to extract passwords and other secrets from an Intel-powered computer’s memory – is pretty easy to exploit, and cloud-computing environments were particularly exposed as they allow customers to share servers. Someone renting a virtual machine on a cloud box could snoop on another person using the same host server, via the Meltdown design gaffe.
Smaller cloud service providers were left playing “catch up.” Joyent, a US cloud-services provider owned by Samsung Electronics, was among those that may have benefited from a warning but wasn’t included in the select group informed ahead of the public reveal.
“Other folks had a six-month head start,” Bryan Cantrill, the company’s chief technology officer, told the WSJ. “We’re scrambling.”
“I don’t understand why CERT would not be your first stop,” Cantrill added.
El Reg asked Intel to comment on its disclosure policy. In a statement, Chipzilla told us it wasn’t able to inform all those it had planned to pre-brief – including the US government – because news of the flaws broke before a scheduled 9 January announcement:
The Google Project Zero team and impacted vendors, including Intel, followed best practices of responsible and coordinated disclosure. Standard and well-established practice on initial disclosure is to work with industry participants to develop solutions and deploy fixes ahead of publication. In this case, news of the exploit was reported ahead of the industry coalition’s intended public disclosure date at which point Intel immediately engaged the US government and others.
US CERT acts as a security clearing house. The agency initially advised that the Spectre flaw could only be addressed by swapping out for an unaffected processor before revising its position to advise that applying vendor-supplied patches offered sufficient mitigation.
El Reg asked US CERT for its take on how the disclosure process went down in the case of the Meltdown and Spectre vulnerabilities but we’re yet to hear back. We’ll update this story as and when more information comes to light. ®
Sponsored:
Minds Mastering Machines – Call for papers now open
Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/01/29/intel_disclosure_controversy/
Fallout from flawed fixes for the Meltdown and Spectre microprocessor firmware vulnerabilities continues as Microsoft released a second emergency patch this month for Windows: this time, to deactivate Intel’s buggy update for one of the Spectre issues.
Microsoft late Friday issued an out-of-band update that disables the mitigation patch for the branch target injection flaw (CVE-2017-5715), aka Spectre variant 2. Intel last week revealed that this firmware update caused spontaneous reboots and other system problems, and called for customers and OEMs to halt installation of patches for its Broadwell and Haswell microprocessors.
“Our own experience is that system instability like this may result in data loss or corruption,” Microsoft said in a post for the new patch, which affects Windows 7 Service Pack 1, Windows 8.1, Windows 10, Windows Server 2008 R2 Standard, and Windows Server 2012 R2 Standard.
“While Intel tests, updates, and deploys new microcode, we are making available an out-of-band update today, KB4078130, that specifically disables only the mitigation against CVE-2017-5715,” Microsoft said.
The good news in the update: Microsoft provides an option for “advanced users” to manually disable and enable the Spectre Variant 2 patch using registry-setting changes, which helps streamline the process. This allows them to “turn off” the flawed microcode fix via the Windows update rather than roll back the buggy patches.
“This saves a lot of work. You don’t have to uninstall the microcode update and restore to the previous version. You just set this flag and it ignores the microcode” patch, says Neil McDonald, vice president and distinguished analyst at Gartner.
The manual disable option is a good move by Microsoft, he says. “It’s a way to just turn off the Variant 2” option, he says, giving them the choice to patch on the fly rather than the time-consuming process of rolling back the flawed patches.
“If there’s an attack, they can reactivate it,” he says.
McDonald says he hopes Microsoft provides the same strategy for Meltdown and Spectre Variant 1 vulnerability updates. That allows an organization to patch for the flaws based on performance tradeoffs since some environments can’t sustain the slowdown. Instead, they can address the threat system by system, he says.
Microsoft recommends Windows users then reactivate the CVE 2017-5715 update after Intel gives the all-clear that it has fixed the performance problems it caused.
Jimmy Graham, director of product management at Qualys, notes that installing the emergency Microsoft patch should remedy system problems caused by the flawed update. “Installing this patch should return unstable systems to their former condition. This does mean that Spectre Variant 2 is not mitigated, but there are currently no active attacks against this vulnerability,” Graham says.
He says it’s no surprise the microcode updates caused system problems because they aren’t “typical software patches.”
“They rely on microcode changes that directly impact how the processor functions. As with any patching, full testing of systems should be performed before production deployment. Especially in the case of Spectre and Meltdown patches, it is important to test these systems at production load to determine if there are any performance or stability concerns,” Graham says.
Meantime, Intel CEO Brian Krzanich told analysts in the company’s earnings call last week that Intel will unveil new products “later this year” that mitigate the Meltdown and Spectre vulnerabilities. “Our near-term focus is on delivering high-quality mitigations to protect our customers’ infrastructure from these exploits. We’re working to incorporate silicon-based changes to future products that will directly address the Spectre and Meltdown threats in hardware. And those products will begin appearing later this year,” Krzanich said.
But the Meltdown- and Spectre-free new microprocessors won’t mean much to the current installed base of systems running on the vulnerable chips. While big cloud providers like Amazon, Microsoft, and Google may be able to update their systems in short order, most organizations realistically won’t be able to do so. “For the typical organization, it will still be a multi-year journey,” Gartner’s McDonald says.
Related Content:
Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise … View Full Bio
Diebold Nixdorf and NCR, two of the world’s largest ATM vendors, are warning their US customers about recent so-called jackpotting attacks where cybercriminals force terminals to illegally dispense large amounts of cash by tampering with their internal electronics.
In its customer alert, Diebold Nixdorf said that US Secret Service had informed the company on Jan. 26 about jackpotting attacks moving from Mexico to the US for the first time. The attack that the Secret Service memo described was the same as one that Diebold Nixdorf had warned customers about in November 2017, said the alert, which the company made available to Dark Reading.
According to the ATM maker, attackers are removing the top hat of its Opteva front-load ATM terminals and replacing original hard disks with previously prepared replacement disks that contain an unauthorized image of the ATM’s software.
In order to pair the new disk with the terminal, the attackers have to first reset its communications — a multi-step process that requires them to press and hold a button inside the ATM’s locked safe. CCTV footage of the attacks shows the criminals using an industrial endoscope to look inside the safe so they can locate the button and then use an extension to press it down till the pairing is complete.
All Diebold Nixdorf front-load Advanced Function Dispenser (AFD)-based Opteva ATMs are vulnerable to the attack. Rear-load Opteva models are also vulnerable, but would be extremely difficult to attack using the current approach, the company said.
The attack circumvents the ATMs’ physical security and authorization features to allow dispensers to be paired with rogue hard drives, the vendor said. “As the ATMs that are currently being targeted are older, legacy Diebold units, it’s important to remind financial institutions to keep their security up to date,” the company said in a statement.
In an emailed comment, NCR said it, too, had alerted customers of its ATM machines about the jackpotting attacks and offered guidance on how to protect against them. Though the attacks have targeted non-NCR systems so far, they represent the first logical attacks against ATMs in the US and therefore should be taken seriously by everyone.
In a January 26 press statement, the US Secret Service described the attacks as mainly targeting stand-alone ATMs of the sort routinely found in pharmacies, big box retailers, and drive-through locations. “Criminals range from individual suspects to large organized groups, from local criminals to international organized crime syndicates,” the Secret Service statement said.
KrebsOnSecurity, which was first to report on the new attacks, said the thieves behind it appear to be using a new version of a jackpotting malware tool called Ploutus.D to steal money from cash dispensers. The blog quoted an unnamed source at the Secret Service saying that the crooks behind the jackpotting campaign have begun sending out so-called “cash out crews” to attack and compromise front-loading Diebold machines.
Once a terminal has been paired with a rogue hard drive, members of the crew contact co-conspirators who then take remote control of the ATM and force it to dispense cash. In previous attacks involving Ploutus-D, attackers have been able to force compromised ATMs to spit out up to 40 currency bills every 23 seconds, Krebs on Security said.
Attacks targeting ATMs are not new. As far back as 2010, a researcher with IOActive demonstrated how attackers could compromise ATMs and force them to dispense wads of cash. In 2016, a suspected Russian operation stole more than $2 million from ATMs, likely using just their smartphones.
Hands-On Hack
Leigh-Anne Galloway, cybersecurity resilience lead at Positive Technologies, says what makes the jackpotting attacks interesting is the level of access criminals need to pull it off. “What is strange in this scenario is the level of physical access obtained by the attackers,” she says. “The only real benefit of this may be from infecting further machines without the bank becoming aware.”
But even then, compromised ATMs would display an out-of-service notification, she says.
Attackers can steal money from ATMs using less complicated methods than jackpotting, she notes. “There are actually remote attacks that don’t rely on physical access to the inside of the ATM, and travel via infection of a bank’s core network,” she says.
Modems used for communications can also have vulnerabilities. “If the ATM is connected to the network via a modem, it is possible to find vulnerabilities in modems, which would allow an attacker to gain access,” Galloway says.
For ATM operators, the attacks highlight the need for proper risk management, says Alan Brill, senior managing director, cybersecurity and investigations for Kroll. “The reports of the incidents suggest that certain older stand-alone ATMs are being targeted,” he says. “Successful attacks require access to the ATM to [install] the malware and in at least some cases, a button had to be pushed, for which the bad guys used an endoscope.”
Endoscopes fully equipped with lights and tools that could be used to press a button in the innards of an ATM are available on many sites for under $20, Brill says.
There are a few common-sense ways of managing the risk of jackpotting attacks, he notes. Unexpected visits by ATM technicians, for instance, should be a red flag. Stand-alone ATMs should be in a location that is visible to employees and covered by a security camera. Tamper-evident tape can be used to close off openings that would allow an attacker to insert an endoscope into a terminal.
ATM owners should also always know who to contact when there’s a problem, and to authenticate the person whom they are calling.
When taking precautious against threats like jackpotting, it’s also best to implement security against other threats as well, such as skimming.”There’s an overlap in security so that protecting against one form of attack can help mitigate the risk of multiple forms of attack,” Brill notes.
Related Content:
Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio