[BreachExchange] Diebold ATM Terminals Jackpotted Using Machine’s Own Software

Destry Winant destry at riskbasedsecurity.com
Tue Jul 21 10:26:54 EDT 2020


https://threatpost.com/diebold-atm-terminals-jackpotted-using-machines-own-software/157575/

The company warned that cybercriminals are using a black box with
proprietary code in attacks to illegally dispense cash across Europe.

Cybercriminals are using software from leading ATM manufacturer
Diebold in a series of hacks against cash terminals across Europe,
forcing the machines to dispense cash to crooks.

Criminals using a black-box device common with these type of attacks
have increased their activity across Europe by targeting Diebold’s
ProCash 2050xe USB terminals, according to an Active Security Alert
(PDF) by Diebold Nixdorf released last week.

The company believes that the device used in the attacks “contains
parts of the software stack of the attacked ATM,” it said in its
alert.

It’s as yet unclear about how attackers gained access to the internal
software of the machines, according to Diebold. However, a previous
offline attack against an unencrypted hard disc of the machine could
be to blame, according to the alert.

So called Jackpotting attacks are those in which cybercriminals find a
way to hack into an ATM machine to trigger the machine to release
cash, much like a slot machine at a casino–hence the name.

There are a number of ways cybercriminals can target cash terminals
with these attacks.

The recent attacks observed by Diebold are black-box dispenser
attacks, with threat actors focusing on outdoor systems, destroying
parts of their facades to gain physical access to the control panel of
the machines.

To jackpot the machine, criminals unplug the USB cable that connects
the CMD-V4 dispenser of the terminals and their electronic systems and
connect them to the black box so they can “send illegitimate dispense
commands.”

There are several other ways that cybercrininals can jackpot cash
machines, including another black-box technique that plugs into
network cables on the exterior of an ATM to record cardholder
information. In this way, attackers can change authorized withdrawal
amounts from the host, or masquerading as the host system to discharge
large amounts of cash.

At this time, it does not appear that cybercriminals in the current
wave of Diebold attacks are accessing cardholder information,
according to the company.

Another type of attack on cash machines is through phishing emails
sent to network administrators at the financial institution that owns
the machine. The emails attempt to install malware that can later use
administrative software providing remote access to ATMs to install
malware on terminals that cybercriminals use to jackpot them,
according to Diebold.

Diebold is one of the top players in the ATM market, earning $3.3
billion in sales last year from its ATM business, which includes both
selling and servicing machines around the world.

To mitigate attacks, Diebold made a few suggestions to terminal
operators, including advising them to implement the latest protection
on the machines by using only software updated with current security
functionality and ensuring encryption is active on the terminal.

The company also advised customers to implement hard-disk encryption
mechanisms to protect the terminal from software modification and
offline attacks, as well as limit physical access to the machine to
prevent access by destroying the machine facade, as occurred in the
current spate of jackpotting attacks.


More information about the BreachExchange mailing list