{"id":71656,"date":"2023-04-03T08:05:29","date_gmt":"2023-04-03T07:05:29","guid":{"rendered":"https:\/\/www.aurigaspa.com\/?p=71656"},"modified":"2023-04-03T08:08:44","modified_gmt":"2023-04-03T07:08:44","slug":"what-we-can-learn-from-fixs-the-latest-atm-attack","status":"publish","type":"post","link":"https:\/\/www.aurigaspa.com\/en\/news-and-media\/blog-eng\/what-we-can-learn-from-fixs-the-latest-atm-attack\/","title":{"rendered":"WHAT WE CAN LEARN FROM FIXS, THE LATEST ATM ATTACK?"},"content":{"rendered":"

A recent report from the MetabaseQ cybersecurity company<\/a> reveals a new ATM jackpotting\u00a0malware variant, dubbed FiXS<\/strong>,\u00a0infecting ATMs in Mexico.<\/p>\n

ATM Jackpotting attacks use malware<\/strong> to steal large amounts of cash from an ATM without having to use a credit or debit card.<\/p>\n

1.1 FiXS: New ATM Malware, old techniques<\/h2>\n

Identified in February 2023, FiXS uses techniques and tactics\u00a0that are similar to those used by previous ATM malware families like Ploutus, Tyupkin, Alice, Ripper or Cobalt.<\/p>\n

FiXS gets fraudolent access to the XFS (eXtended Financial Services) middleware<\/strong> which controls the ATM hardware including the cash dispenser.<\/p>\n

By connecting to the XFS layer, FiXS sends commands directly to the ATM dispenser to cash it out fully bypassing the transaction authorisation<\/strong> process.<\/p>\n

The usage of the XFS layer also turns FiXS into a multi-vendor malware<\/strong> with the ability to attack multiple ATM vendors and models.<\/p>\n

1.2 Dissecting FiXS ATM Jackpotting Malware<\/h2>\n

FiXS is packaged in a dropper<\/strong> that masquerades as the name of a common system executable: conhost.exe<\/strong>. This dropper embeds the malware<\/strong> which is\u00a0extracted and copied to the ATM File System on a hardcoded temporary directory: FiXS.exe<\/strong>.<\/p>\n

FiXS.exe uses the MSXFS.dll<\/strong> library, which allows it to freely interact with the XFS API<\/strong>, therefore granting access to send commands to the ATM hardware like\u00a0the dispenser. MSXFS.dll allows the malware to attack any ATM implementing the CEN-XFS standard, which makes it la multi-vendor malware<\/strong>.<\/p>\n

Interaction with FiXS is done via a connected keyboard<\/strong>, which launches the malware GUI<\/strong> allowing the attacker to display information of the cash units and to send dispensing commands.<\/p>\n

1.3 Attack Modus Operandi \u2013 from infection to execution<\/h2>\n

An ATM Jackpotting attack is extremely sophisticated, <\/strong>\u00a0uses in-depth knowledge of the software stack and the hardware setup of\u00a0ATMs. The attack\u2019s life-cycle has four\u00a0phases, from preparation<\/strong> to infection & persistence<\/strong> and final execution<\/strong> to achieve the cash-out. Physical accessibility to the ATM<\/strong> is a key factor for the attack.<\/p>\n

    \n
  1. Preparation<\/strong>: An attack starts with a cybercriminal stealing or acquiring\u00a0a hard drive from a production ATM. This will contain the entire software stack used by the financial institution, which the attacker can analyse and reverse engineer it to prepare a targeted attack.<\/li>\n
  2. Infection<\/strong>: With their malware developed, the threat actor infects an ATM or ASST by physically accessing the device through external keyboards and USB sticks. Once the malware is inside the ATM, they can access access the operating system online\u00a0and copying the malware; or use an offline method to\u00a0boot from an external USB to then mount the ATM hard drive and copy the malware.<\/li>\n
  3. Persistence:<\/strong> It is important for the malware to be persistent so that it runs automatically at ATM startup. This is achieved by replacing legitimate system executables or by setting autorun at startup time.\u00a0This way, the malware will run in the background waiting for an activation code and get full access to the XFS middleware to send commands to the dispenser.<\/li>\n
  4. Execution & Clean Up<\/strong>: Now the illegitimate extraction of cash can happen. Other threat actors, the so-called “money mules”<\/strong>, physically access the ATM and enter an activation code that wakes up the malware by activating a graphical user interface (GUI). Other activation methods can be the pinpad itself, the use of counterfeit cards or even connecting a mobile device and receiving an SMS. Once the “refund” is complete, some malware complete a cleanup\/uninstall mechanism to remove traces of the attack.<\/li>\n<\/ol>\n

    1.4 Windows XP \/ 7 \/ 10 \u2013 all are vulnerable<\/h2>\n

    Some believe ATMs running outdated and unsupported operating systems like Windows XP or Windows 7 are more vulnerable.<\/p>\n

    While migrating to Windows 10 and keeping patches updated is essential, Windows 10 ATMs are as vulnerable as the ones running Windows 7 or XP<\/strong>.<\/p>\n

    ATM malware is highly targeted,<\/strong> and does not exploit operating system vulnerabilities, but rather design vulnerabilities of the ATM software stack<\/strong>, like the lack of authentication in the XFS layer<\/strong>.<\/p>\n

    1.5 ZERO TRUST \u2013 the right ATM Cybersecurity Approach<\/h2>\n

    Every organization operating an ATM network is a potential target for jackpotting attacks, making robust and efficient cybersecurity countermeasures essential.<\/p>\n

    1.5.1 Availability vs Security<\/h3>\n

    The sentence “if it works, don’t touch it” is especially relevant in a critical service environment like ATMs.\u00a0Any edits or updates of the ATM software and hardware\u00a0must always be done in a controlled manner.<\/p>\n

    However,\u00a0the lack of proactive update policies, plus\u00a0the physical accessibility of ATMs, creates an inherently vulnerable environment that makes ATM devices very difficult to protect with traditional security technologies.<\/p>\n

    It is essential to understand that these characteristics or limitations are an inherent part of the nature of these types of devices, for example 24×7 ease of use and accessibility. What we must do is define an appropriate security strategy for the environment we want to protect and turn the weaknesses into strengths.<\/p>\n

    1.5.2 Enter the \u201cZero Trust\u201d protection model<\/h3>\n

    Zero Trust<\/strong>“<\/a> assumes your infrastructure will be compromised, and the concept of \u201cnever trust, always verify\u201d should be applied to prevent ATM jackpotting and other attacks on ATMs and ASSTs<\/p>\n

    The Zero Trust model makes suspicious assumptions about the vulnerability of the infrastructure that manages ATM and ASST devices, for example\u00a0that the remote access system can be manipulated or the maintenance technician or the end user can be attackers.<\/p>\n

    Auriga advises the most critical points to design a robust Zero Trust ATM and ASST protection model are:<\/p>\n