A recent report from the MetabaseQ cybersecurity company reveals a new ATM jackpotting malware variant, dubbed FiXS, infecting ATMs in Mexico.
ATM Jackpotting attacks use malware to steal large amounts of cash from an ATM without having to use a credit or debit card.
1.1 FiXS: New ATM Malware, old techniques
Identified in February 2023, FiXS uses techniques and tactics that are similar to those used by previous ATM malware families like Ploutus, Tyupkin, Alice, Ripper or Cobalt.
FiXS gets fraudolent access to the XFS (eXtended Financial Services) middleware which controls the ATM hardware including the cash dispenser.
By connecting to the XFS layer, FiXS sends commands directly to the ATM dispenser to cash it out fully bypassing the transaction authorisation process.
The usage of the XFS layer also turns FiXS into a multi-vendor malware with the ability to attack multiple ATM vendors and models.
1.2 Dissecting FiXS ATM Jackpotting Malware
FiXS is packaged in a dropper that masquerades as the name of a common system executable: conhost.exe. This dropper embeds the malware which is extracted and copied to the ATM File System on a hardcoded temporary directory: FiXS.exe.
FiXS.exe uses the MSXFS.dll library, which allows it to freely interact with the XFS API, therefore granting access to send commands to the ATM hardware like the dispenser. MSXFS.dll allows the malware to attack any ATM implementing the CEN-XFS standard, which makes it la multi-vendor malware.
Interaction with FiXS is done via a connected keyboard, which launches the malware GUI allowing the attacker to display information of the cash units and to send dispensing commands.
1.3 Attack Modus Operandi – from infection to execution
An ATM Jackpotting attack is extremely sophisticated, uses in-depth knowledge of the software stack and the hardware setup of ATMs. The attack’s life-cycle has four phases, from preparation to infection & persistence and final execution to achieve the cash-out. Physical accessibility to the ATM is a key factor for the attack.
- Preparation: An attack starts with a cybercriminal stealing or acquiring a hard drive from a production ATM. This will contain the entire software stack used by the financial institution, which the attacker can analyse and reverse engineer it to prepare a targeted attack.
- Infection: With their malware developed, the threat actor infects an ATM or ASST by physically accessing the device through external keyboards and USB sticks. Once the malware is inside the ATM, they can access access the operating system online and copying the malware; or use an offline method to boot from an external USB to then mount the ATM hard drive and copy the malware.
- Persistence: It is important for the malware to be persistent so that it runs automatically at ATM startup. This is achieved by replacing legitimate system executables or by setting autorun at startup time. This way, the malware will run in the background waiting for an activation code and get full access to the XFS middleware to send commands to the dispenser.
- Execution & Clean Up: Now the illegitimate extraction of cash can happen. Other threat actors, the so-called “money mules”, physically access the ATM and enter an activation code that wakes up the malware by activating a graphical user interface (GUI). Other activation methods can be the pinpad itself, the use of counterfeit cards or even connecting a mobile device and receiving an SMS. Once the “refund” is complete, some malware complete a cleanup/uninstall mechanism to remove traces of the attack.
1.4 Windows XP / 7 / 10 – all are vulnerable
Some believe ATMs running outdated and unsupported operating systems like Windows XP or Windows 7 are more vulnerable.
While migrating to Windows 10 and keeping patches updated is essential, Windows 10 ATMs are as vulnerable as the ones running Windows 7 or XP.
ATM malware is highly targeted, and does not exploit operating system vulnerabilities, but rather design vulnerabilities of the ATM software stack, like the lack of authentication in the XFS layer.
1.5 ZERO TRUST – the right ATM Cybersecurity Approach
Every organization operating an ATM network is a potential target for jackpotting attacks, making robust and efficient cybersecurity countermeasures essential.
1.5.1 Availability vs Security
The sentence “if it works, don’t touch it” is especially relevant in a critical service environment like ATMs. Any edits or updates of the ATM software and hardware must always be done in a controlled manner.
However, the lack of proactive update policies, plus the physical accessibility of ATMs, creates an inherently vulnerable environment that makes ATM devices very difficult to protect with traditional security technologies.
It is essential to understand that these characteristics or limitations are an inherent part of the nature of these types of devices, for example 24×7 ease of use and accessibility. What we must do is define an appropriate security strategy for the environment we want to protect and turn the weaknesses into strengths.
1.5.2 Enter the “Zero Trust” protection model
“Zero Trust“ assumes your infrastructure will be compromised, and the concept of “never trust, always verify” should be applied to prevent ATM jackpotting and other attacks on ATMs and ASSTs
The Zero Trust model makes suspicious assumptions about the vulnerability of the infrastructure that manages ATM and ASST devices, for example that the remote access system can be manipulated or the maintenance technician or the end user can be attackers.
Auriga advises the most critical points to design a robust Zero Trust ATM and ASST protection model are:
- Drastic reduction of the attack surface: access to software, hardware and communications is continuously verified and only granted to the minimum set of legitimate resources.
- Tight control of changes in the ATM: to block any attempt to change software or hardware that has not been explicitly authorized. Hardware changes, made by third-party companies with physical access to the ATM should only be possible in authorised time periods , where a specific security policy that allows changes is applied, and subject to total monitoring of technical operations.
1.6 LOOKWISE DEVICE MANAGER – the Zero Trust Solution for ATMs and ASSTs
Auriga’s Lookwise Device Manager (LDM) allows an organisation to secure its ATMs, ASSTs and other critical devices based on the Zero Trust model.
LDM has been designed based on the knowledge of the ATM infrastructure and the attacker’s tactics and techniques, and that’s why it provides with the most comprehensive layered protection model to protect an ATM at all stages of the attack life-cycle while ensuring full availability to services for customers.
Auriga LDM protects the device against FiXS in the different phases of the attack life cycle (preparation, infection, persistence and execution) thanks to its comprehensive layered protection model that includes hard disk encryption, integrity control of the Windows registry and file system and whitelisting system for applications, hardware devices and communications.