Stop ATM Cash-Out Attacks by Securing Privileged Access

Nimrod Stoler, Cyber Security Researcher, R&D, CyberArk

According to security reporter Brian Krebs, the FBI issued a confidential alert to banks on Friday, warning that “cyber criminals are planning to conduct a global Automated Teller Machine (ATM) cash-out scheme…commonly referred to as an unlimited operation.” The FBI further stated that “unlimited operations compromise a financial institution or payment card processor with malware to access bank customer card information and exploit network access, enabling large scale theft of funds from ATMs.”

ATM attacks are not new. The famous Barnaby Jack demonstrated how he could make ATMs spit out cash on the stage of Black Hat in 2010. But this required physical access to unpatched machines.

The ‘unlimited operation’ ATM attack is much different and more devastating. Criminals infiltrate a bank’s infrastructure to steal and clone bank cards, remove fraud controls and withdrawal limits, and then coordinate large-scale withdrawals from physical ATMs to steal huge amounts of cash.

While it sounds like a bank robbery created in a Sci-Fi novel, this approach isn’t new either. Just ask Roman Seleznev, a hacker arrested recently for coordinating a similar attack on RBS Worldpay, a payment processor in Atlanta, back in 2008. The DOJ report stated at the time that the attack was “then the most sophisticated and organised computer fraud attack ever conducted.”

Despite the RBS Attacks resulting in $9 million dollars stolen from 2,100 ATMs worldwide in less than 12 hours, the industry is still prone to such massive, coordinated attacks. These attacks are possible for the same reason cyber attackers were able to steal $81 Million from the Bangladesh Bank in 2016 – a failure to properly secure IT infrastructure, specifically around privileged access.

In both the RBS ATM attacks in 2008 and the SWIFT attacks in 2016, attackers used simple means such as phishing to gain a foothold on an employee device, elevated privileges and moved laterally into the network. Once on the network with this level of privileged access, attackers can study the security infrastructure and avoid controls, unencrypt data and prepare for their coordinated assault on ATMs.

Once attackers are on the network with elevated privileges, an attack on ATMs is a ‘path of least resistance.’ They can steal as much money as possible in a short time without sounding the alarms, since at this point, attackers literally “own” the organisation.

The FBI is now urging banks to review how they handle security, specifically around “implementing strong password requirements and two-factor authentication using a physical or digital token when possible for local administrators…” – essentially urging organisations to review their approach to privileged access. For those who are uncertain as to whether they’re exposed, here are a few essential principles of protection to ensure they’re prepared when it comes to privileged access and minimise the threat to their organisation:

· Patch Now, Patch Always: Whether it’s ATMs, financial systems, IT infrastructure or endpoints, attackers seek out active vulnerabilities as an open invitation into any network. It’s one thing to fall victim to an advanced phishing attack that is highly sophisticated. It’s another to leave a proverbial backdoor open into the vault.

· Contain Attack by Securing Privileged Access: The ATM attackers actively seek out endpoints with local admin rights – removing admin rights prevents attackers from moving into the network and installing malware. But privileged access security doesn’t stop there – domain admin credentials, privileged SSH keys and any other credentials that provide access to sensitive accounts or systems need to be locked down and controlled. By centrally securing privileged credentials, controlling access based on role, and enforcing multi-factor authentication before granting access, the attackers cannot move through the environment to remove security controls and execute their attacks.

· Continuous Monitoring: Almost all bank attacks start with attackers targeting their networks. By closely monitoring networks based on events or patterns, organisations can determine if an attacker manages to hijack credentials and gain access to target assets – such as ATMs. Organisations must be able to quickly detect and address the malicious behaviour.

Cyber criminals will continue to innovate and change tactics to reach their end goal – but only if organisations force them to do so by blocking the known pathways. In this case, crime pays, at least until banks get better at privileged access security.