Positive Technologies Reveals How Criminals Hacked ATMs

Robbers stole the equivalent of £28,000 ($35,000) — but it could have been far worse

Following an extensive investigation, cyber security company Positive Technologies has today revealed how hackers were able to steal the equivalent of £28,000 ($35,000), overnight, from six ATMs of an Eastern European bank. Its findings confirm that the theft could have been far worse as the technique used in the scam fortunately "clashed" with the financial institutions existing NCR ATM software, preventing the attackers from withdrawing further funds. It also warns that it’s likely that this group will soon become active in the West.

"Attacks against ATMs are often a preliminary step, from which attackers aim to infiltrate a bank’s network infrastructure," explains Alex Mathews, Lead Security Evangelist at Positive Technologies. "Modern day 'bank robbers' have realized that many financial institutions fail to adequately invest in security, and that some will even do the bare minimum to comply with required standards. The result is that, from an initial compromise, attackers can often move sideways, burrowing deeper into the network and infecting other systems within the banking infrastructure. Having gained control over key servers and ATM management systems, these criminals will often hit the jackpot with minimal effort and without tripping any alarms. Our investigation found that, for this Eastern European bank, the initial compromise was facilitated by a phishing scam and was successful as employees were spoofed into deploying the malware. This allowed the bank's local network to be compromised with the installation of malware on ATMs from the bank's internal infrastructure."

Publishing the findings of its investigation in an analytical report titled "Cobalt—a new trend or an old 'friend'?" Positive Technologies reveals the intricacies these modern cyberattacks utilized when targeting this bank, and that could be used against other financial institutions:

1. Attackers tend to use known instruments and integrated functionality of operating systems. In this heist, the criminals used commercial software—Cobalt Strike, comprising Beacon—a multi-function remote access Trojan with extensive capabilities for remote system control, enabling the upload and download of files, an escalation of privileges plus other functionality. The bank robbers also used Ammyy Admin, a legitimate freeware combined with Mimikatz, PsExec, SoftPerfect Network scanner, and Team Viewer applications.

2. Phishing emails are still one of the most successful attack vectors due to insufficient security awareness amongst employees. The initial infrastructure infection vector originated from an employee opening a RAR compressed archive file documents.exe. The archive file was emailed to the employee, and the attached document contained the malware. Targeted mass phishing emails had been sent during the preceding months to a number of the bank’s email addresses, with the message imitating financial correspondence or security messages. Several employees opened the malicious file at different times, however one of the employees who launched the malware on their workstation had either disabled the antivirus engine, or the antivirus databases were outdated, allowing the malware to deploy.

3. Targeted attacks are becoming increasingly well-organized and distributed. The investigation revealed that the attack first started during early August. At the beginning of September, after a steady deployment in the infrastructure, the hackers launched a chain of attacks to detect which of the workstations were used by employees responsible for the ATM operation and payment card use. It was only in early October that the attackers uploaded malware to the ATMs and performed the heist (an operator sent commands to ATMs, and drops (individuals acting as cut-outs) visited an ATM at an appointed time to collect the stolen cash). The malware installed on the ATMs was specialized, dispensing money from an ATM to a drop at the command of the attacker. Drops themselves did not need to perform any special manipulations of the ATM.

While investigating the incident, Positive Technologies gathered multiple host and network indicators of compromise, which were sent to the relevant authorities, so that the information could be shared with other financial institutions to prevent similar future attacks.