Diebold Nixdorf: ATMs in Europe Hacked'Jackpotting' Attacks Apparently Leverage Stolen Software
Diebold Nixdorf, a major manufacturer of ATMs, has issued an alert about "jackpotting" or “cash-out” attacks that are draining cash from its machines in several European countries.
The North Canton, Ohio-based company says its ProCash 2050ex ATMs located outdoors are vulnerable to a new type of "black box" attack that involves malicious actors using ATM software to facilitate thefts. A black box is a device fraudsters attach to an ATM to get it to dispense cash on demand.
"Some incidents indicate that the black box contains individual parts of the software stack of the attacked ATM,” according to the alert. “The investigation into how these parts were obtained by the fraudster is ongoing. One possibility could be via an offline attack against an unencrypted hard disc."
Mike Weber, vice president at research security and pen testing firm Coalfire Labs, tells Information Security Media Group the threat actors may have obtained Diebold Nixdorf's software from a discarded machine.
"Based on available information, it’s my presumption that the attacker had physical access to an ATM - which isn’t terribly hard to do, with equipment being regularly updated and disposed of or salvaged – and then extracted and reverse-engineered the software from the hard drive, altered it in some fashion, and deployed it on their 'black box' to facilitate sending commands," Weber says.
Diebold Nixdorf did not disclose how many attacks have taken place, how much cash was stolen nor how many of these models of ATMs are in operation.
The company's investigation has discovered that to gain access to the internal machine ports of ATMs, the attackers dismantle a portion of the street-facing side of machines.
Fraudsters then unplug either the USB cable between the CMD-V4 dispenser and what the company calls the "special electronics" or the cable between the special electronics and the ATM's computer. The cable is then attached to the black box, which then commands the machine to dispense its cash.
Diebold Nixdorf offers several suggestions for mitigating the risks of attacks against its ATMs, including:
- Limit physical access to the service area for the device;
- Implement multifactor authorization for service personnel;
- Introduce intrusion prevention mechanisms to identify deviating system behavior and protect the ATM from online attack;
- Use a software stack with latest security functionality;
- Implement hard disk encryption mechanisms;
- Use the most secure configuration of encrypted communications, including physical authentication.
"Diebold Nixdorf urgently recommends customers verify whether these recommended countermeasures have been put into operation to better protect your ATM fleet,” the company says. “Where applicable, this should also include checking irregular event alerts generated by the monitoring system to interrupt such attacks."
Taking Appropriate Steps
Weber of Coalfire Labs says some of the company's recommendations are best practices that aren’t necessarily tailored to thwarting attacks that bypass an ATM's computer.
For example, although encrypting the hard drive is a best practice, “if an attacker were to gain access to these Windows 7 or Windows 10-based systems, there are hardware attacks that can be carried out through Direct Memory Access enabled ports that would still allow an attacker to defeat the encryption. Per the manual found online, it would be pretty trivial to do this, given the hardware that is in use," Weber says.
But Weber says using the most secure configuration of encrypted communications, including physical authentication, is an appropriate move. "Device authentication should be mandatory in a high-security environment," he says.
Diebold Nixdorf issued warnings to ATM owners on how to protect their machines following a jackpotting alert issued by the Secret Service in 2018 (see: First ATM Jackpotting Attacks Hit US).
In April, the company was hit by a ransomware attack that resulted in a limited systems outage (see: ATM Manufacturer Diebold Nixdorf Hit With Ransomware ).