In the decade since the hacker Barnaby Jack famously made an ATM spit out cash onstage during the 2010 Black Hat security conference in Las Vegas, so-called jackpotting has become a popular criminal pastime, with heists netting tens of millions of dollars around the world. And over time, attackers have become increasingly sophisticated in their methods.
At last week’s Black Hat and Defcon security conferences, researchers dug through recent evolutions in ATM hacking. Criminals have increasingly tuned their malware to manipulate even niche proprietary bank software to cash out ATMs, while still incorporating the best of the classics—including uncovering new remote attacks to target specific ATMs.
During Black Hat, Kevin Perlow, the technical threat intelligence team lead at a large, private financial institution, analyzed two cash-out tactics that represent different current approaches to jackpotting. One looked at the ATM malware known as INJX_Pure, first seen in spring 2019. INJX_Pure manipulates both the eXtensions for Financial Services (XFS) interface—which supports basic features on an ATM, like running and coordinating the PIN pad, card reader, and cash dispenser—and a bank’s proprietary software together to cause jackpotting.
The original malware samples were uploaded to scanners from Mexico and then later from Colombia, but little is known about the actors using INJX_Pure. The malware is significant, though, because it is tailored to the ATMs of a specific bank, likely in a specific region, indicating that it can be worth it to develop even limited-use or targeted jackpotting malware rather than focusing only on tools that will work around the world.
“It’s common to threat actors in general to use XFS within their ATM malware to get an ATM to do things that it’s not supposed to do, but the INJX_Pure developer’s implementation of it was unique and very specific to particular targets,” says Perlow.
Perlow also looked at FASTCash malware, used in jackpotting campaigns that the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency attributed to North Korean hackers in October 2018. North Korea has used the malware to cash out tens of millions of dollars around the world, which coordinated groups of money mules then collect and launder. FASTCash targets not the ATMs themselves but a financial card transaction standard known as ISO-8583. The malware infects software running on what are known as “payment switches,” finance infrastructure devices that run systems responsible for tracking and reconciling information from ATMs and responses from banks. By infecting one of these switches rather than attacking an individual ATM, FASTCash attacks can coordinate cash-outs from dozens of ATMs at once.
“If you can do this, then you no longer have to put malware on 500 ATMs,” Perlow says. “That’s the advantage, why it’s so clever.”
The attacks go even further in a controlled lab setting. Researchers at the embedded-device security firm Red Balloon Security detailed two specific vulnerabilities in so-called retail ATMs made by Nautilus Hyosung. These are the kind of ATMs you’d find at a bar or corner store, in contrast to the “financial” ATMs used in banks. The vulnerabilities could have been exploited by an attacker on the same network as a victim ATM to seize control of the device and dispense cash without any physical interaction.
Hyosung, which has more than 140,000 ATMs deployed around the United States, patched the flaws at the beginning of September. But as with many connected devices, there can be a large gap between offering a fix and getting ATM operators to install it. The Red Balloon researchers estimated that as many as 80,000 ATMs in the US were still vulnerable.