ATM Hacks: Spotting Attacks that Begin with Valid Login Credentials

Alfred Chung

There’s a new hack in town, and the U.S. Secret Service calls it “Unlimited Operation.” Targeting ATMs belonging to small- and medium-sized banks, the hackers use stolen credentials to log in to the ATM systems’ remote admin panels and change the cash withdrawal limits to “Unlimited.” They then use stolen debit cards to withdraw as much cash as possible—sometimes more than victims actually have in their accounts.

Remove technology from the scenario, and it’s an “Oceans Eleven”-style caper. Keys are stolen, smoke bombs are thrown, safes are cracked, and the bad guys abscond with big bags of cash. Here’s how it looks in cyber-terms:

  • A successful spear-phishing attack puts malware on an employee workstation—pwned!
  • Hacker monitors the workstation/endpoint to see how the admin normally logs in to the remote admin panel for the bank's ATM system
  • Hacker uses a DDoS attack to distract bank security while he logs in to the ATM admin panel
  • Hacker removes the withdrawal limits for certain ATMs and/or bank accounts
  • The ATM remains uncompromised: limits are controlled through a legitimate admin console.
As Jason wrote about in his blog post on RDP hacks, “…it’s a purely access-based threat: no malware, no exploit involved. No malware detection system could identify these threats because they used valid login credentials.” However, endpoint analytics could spot the malware running on the compromised workstation if the bank took this approach:

  • Audit bank employees' workstations and create baselines of "normal" behavior and processes for each
  • Run regular scans to see if any are running any non-whitelisted processes or have suspicious remote connections, perhaps based on the geography of the remote IP or domain
  • Perform regular hunts for anomalies.
EnCase Analytics was created to spot unusual activity like this in the age of assumed compromise. You can learn more about it here. Comments? I welcome discussion in the Comments section below.

No comments :

Post a Comment