Recently, reports surfaced about new malware being used to hack ATM machines across the globe. The program, named Backdoor.MSIL.Tyupkin, creates a backdoor that bypasses the ATM’s security system and forces it to dispense cash.
Though the hacks are primarily taking place in Russia and Europe, reports from the U.S., China, India, and Israel have also surfaced. The attacks do not compromise customer information; rather, cash is stolen directly from the targeted ATM.
The malware requires physical access to an ATM. The attacker must access the ATM’s controls and boot it using a CD that installs the malware. Next, a ‘mule’ visits the compromised ATM and enters a password on the keypad. Then the attackers remotely generate a second password for the session, which is sent to the mule. The second password makes the breach unique and difficult to trace. It also grants access to the amount of money available in the ATM’s cash “cassette.” The attacker can now command the machine to release 40 bills from the cassette.
It is unclear how the attackers are gaining access to the ATMs’ controls, but one firm, Kaspersky Labs, noted in a recent report that a physical security breakdown is at fault. If banks issued new locks and keys, the report said, and updated alarm systems, the attackers would not be able to boot up the machine to install the malware in the first place.
Current security software can typically detect Tyupkin-type malware, but because many ATMs operate on Windows XP, which is now obsolete, and rely on outdated security software, they are extremely vulnerable and attractive targets for attack.
What’s more, the sheer number of ATMs operating on outdated software across the globe creates a huge attack surface. It is clear that temporary fixes like new control locks and alarm systems will not stop the bleeding.
And yet attacks of this kind are not new. In fact, they have been around for years. Anti-Virus software used by ATMs is unable to protect against this type of attack for several reasons.
First, when activated inside of the ATM, Tyupkin has the ability to turn off the McAfee Solidcare AV software so that it could do its job with ease.
Second, to avoid accidental detection, Tyupkin can stay in standby mode for an entire week and activate only Sunday and Monday nights.
Third, it has the ability to disable the local network in the case of an emergency, so that the bank cannot remotely connect to the ATM to investigate any fraud alerts.
Clearly, current security methods are unable to keep up with advanced malware. What’s needed is a different approach.
SentinelOne uses three layers of protection to stop malware like Backdoor.MSIL.Tyupkin by preventing threats at inception, stopping attacks as they unfold and removing active threats.