Not Just Ploutus: Protection Against ATM Malware Attacks

Every few months, reports on a new variant of ATM malware are published and rightly cause concerns among financial institutions. The latest news is that the infamous Ploutus malware is back. The new version, called Ploutus D, is apparently making use of third-party components that would allow it to run on ATMs from multiple vendors.

Earlier examples of ATM malware in the press are Ripper, Alice, Tyupkin, Green Dispenser and a whole range of others. We can be sure there are new variants being worked on right now, since ATM malware is a highly profitable “business” for certain miscreants.

What is a financial institution to do?
As you can see from the list above, criminals are constantly evolving their attack methods in the hopes of staying undetected and undefeated. So what is a financial institution to do? First, it’s important to take a look at how ATM malware works. Here are two critical observations:

  • There are many different ways to “jackpot” an ATM, or in other words, steal money from it.
    Recent malware tends to use the vendor-independent XFS programming interface, but other attacks make use of low-level system drivers, replace part of the cash application or use hacked diagnosis software.
  • A crucial, and in some cases never fully explained, part of the attack is to get the malware onto the ATM in the first place.
    It may come as a surprise that the most common approach is still to gain physical access to the ATM PC (with forged keys or simply with physical force). This allows the attacker to install the malware either directly or after a reboot from CD or USB into an operating system that the attacker controls. However, as the attacks in Taiwan and Thailand in the summer of 2016 show, network-based attacks are gaining traction as well.

The Bad News
These observations make it clear that attempts to try and protect ATMs against one particular variant of malware are futile. Making sure Ploutus D would be recognized on your ATMs doesn’t mean that a new variant of Ripper or Tyupkin would be recognized. Locking down the BIOS to prevent unsolicited reboots won’t help against a dedicated attacker who might just open the PC case and hook up to the hard disk directly.

The Good News
There are very effective countermeasures against malware attacks and solutions to protect your ATMs are readily available. As every IT security professional will attest, there is never 100% security in a networked and publicly accessible device such as an ATM. We can, however, raise the bar for an attacker to a point that they would rather try their luck elsewhere.

Here are key countermeasures against ATM malware:

Limit Access to the ATM

  • Use appropriate locking mechanisms to secure the head compartment of the ATM.
  • Implement access control for service technicians based on two-factor authentication.
  • Control access to areas used by personnel to service the ATM.
  • Terminal operators should conduct frequent visual inspections.

Harden the Software Stack

  • Introduce intrusion prevention mechanisms in order to identify deviating system behavior and protect the ATM during operation (online attacks). This should include monitoring the integrity of and controlling the access to system critical files and the registry.
  • Activate system/host-based firewall and apply adequate configuration.
  • Implement hard disk encryption to protect the ATM from software modifications initiated by external boot attacks (offline attacks).

Set up Additional Measurements

  • Follow network security best practices, including segmented and secured LAN/VLAN with intrusion, detection and prevention.
  • Ensure real-time monitoring of hardware and software events, and investigate suspicious activities like deviating or non-consistent transaction or event patterns which are caused by an interrupted connection to the dispenser.
  • Monitor unexpected opening of the head compartment of the ATM.
  • Keep your operating system, software stack and your configuration up to date.

Of course, this is only a high-level overview of key security measures. The best way to secure your ATM network is by taking a comprehensive, multi-layered approach. And a great first step, if you haven’t already done so, is to conduct a thorough threat assessment of your current terminals. This will identify gaps and provide a solid foundation for enhancing your ATM security program.

Get in touch with us to dive deeper and find out how we can help you better protect your ATMs.