Positive Technologies Advises ATM Industry on Serious Vulnerability in Security Software

Zero-Day in Intel Security Solidcore could allow attackers to successfully penetrate banks with customized malware

Intel Security has given credit to specialists at the cybersecurity company Positive Technologies for detecting a serious vulnerability in its Solidcore ATM protection product, which is covered in a recent security bulletin. The zero-day vulnerability, CVE-2016-8009, was found during an ATM security investigation requested by a major bank. Intel Security has issued a patch and it is recommended that this be applied urgently.

Solidcore is widely used in Windows-based ATMs to detect and block malware by means of whitelisting, and to control privileges of running processes. Initially, Solidcore was developed by the software company Solidcore Systems, acquired by MacAfee in 2009, which in turn was acquired by Intel. Currently, Solidcore is a part of the McAfee Application Control (MAC) product; however, the old name is still widely recognized by the market.

The vulnerability would allow an unauthorized person to use an IOCTL processor from one of the drivers to damage OS Windows kernel memory. Exploitation of this vulnerability may lead to arbitrary code execution with SYSTEM rights, escalation of user privileges from Guest to SYSTEM, or OS emergency shut down.

Speaking about the implications of this vulnerability, Alex Mathews, Lead Security Evangelist of Positive Technologies explains: “Our analysis revealed that the vulnerability allowed the control of required Solidсore components to manipulate SYSTEM rights; in particular, to disconnect any interaction between Solidcore and the ePolicy Orchestrator management server, to unblock the Solidcore management console, disable password protection, and inject codes into any system processes. Having access to a vulnerable driver, an attacker could easily add malware to Solidcore whitelists, without disabling the protection system or its connection to the management server. Suspicions would not be raised nor log entries captured.

“Knowing this vulnerability exists, hackers could successfully attack banks using customized malware, with proven attacks in the wild. In 2014, for instance, Tyupkin ATM malware was detected, which was notable precisely for its ability to disable Solidcore in order to conceal its malicious activity. Thanks to this trojan, attackers stole hundreds of thousands dollars from Eastern Europe ATMs unnoticed. Its recommended that the provided patch is applied as soon as possible.”

According to Positive Technologies’ experts, to reduce the risk of attackers abusing the driver, developers should apply user authorization mechanisms for any reference to driver scheduling functionality. Should this not be possible, scheduling of input/output requests should be performed in line with SDL requirements for WDM.

Detailing protection measures from the bank’s perspective, Alex concludes: “The core protection for ATMs has to be regular security audits, the creation of secure ATM configuration policies, combined with continuous monitoring for compliance with these requirements. Such monitoring would significantly increase ATM protection from attacks exploiting simple vulnerabilities—such as Kiosk mode bypass and the absence of BIOS passwords.

“For real-time detection of targeted attacks, the recommendation is to use security information and event management systems (SIEM) to detect suspicious activities or event sequences—such as the connection of any devices to an ATM, an unexpected reboot, the repeated depression of keys, or the execution of unauthorized commands.”