ATM Security Software Found to Have Serious VulnerabilityThere's Now a Patch for the Checker ATM Software
A security application for ATMs that's designed to thwart "jackpotting" attacks, where cash machines are commanded to surrender their holdings, has been found to have a serious vulnerability.
The software called Checker ATM, developed by the Spanish company GMV, now has a patch. Positive Technologies, a security company, found the vulnerability (CVE-2017-6968), which is a type of memory-related hiccup known as a buffer overflow, in versions 4.x and 5.x.
"The defect allows an attacker to remotely run code on a targeted ATM to increase his privileges in the system, infect it and steal money," writes Positive Technologies in a blog post.
According to GMV's website, Checker ATM is used by more than 20 banks across 80,000 cash machines.
ATMs across the world have come under sophisticated malware attacks despite efforts by the banking industry as well as ATM manufacturers to better secure the machines. In the 1990s, ATMs switched from proprietary operating systems to Microsoft's Windows (see Taiwan Heist Highlights ATM Weaknesses).
The criminals attacking ATMs have demonstrated remarkable knowledge of the software inside the devices. The thefts are often classified as logical attacks because they involve manipulating legitimate functions. Once inside an ATM, malware can interface with APIs that control features such as dispensing cash and then issue commands for a fraudulent outcome.
The Checker ATM software is designed to secure ATMs running either Windows or Linux. It restricts what applications are allowed to run on a machine, blocks interaction between external devices and the operating system and encrypts the hard disk, among other functions. It competes with products from McAfee, Symantec, Trend Micro and Bit 9.
Before launching an exploit, an attacker would need to connect to the ATM's network, writes Georgy Zaytsev, a researcher with Positive Technologies. One way would be to use ARP (Address Resolution Protocol) spoofing, which involves sending bogus ARP message in order to get a malicious device connected to the target network.
That malicious device can trigger the buffer overflow while a public key is generated because there's a "failure on the client side to limit the length of response parameters," Zaytsev writes. The result is that the attacker then has full control over the ATM, making it possible to withdraw money.
Hard to Exploit?
In an email to ISMG, GMV says it has not heard reports of attacks in the wild.
The company downplayed the attack, saying that the possibility to exploit the flaw was quite remote because network access was required. GMV contends that if an attacker already has that access, there are weaker targets to try to exploit rather than its security application. That's actually not as a large of a barrier as it seems; cybercriminals have shown they're capable of gaining deep access inside banks.
In Thailand, attackers stole $350,000 between July and August of 2016 from Government Savings Bank targeting ATMs made by NCR. The attackers breached the bank's network and then spoofed a software distribution system in order to install malicious software in 21 ATMs (see New 'Ripper' Malware Fueled Thai ATM Attacks).
In 2016, the financial industry was stunned by a wave of intrusions aimed at gaining access to the SWIFT interbank messaging system, which is used by financial institutions to facilitate international wire transfers. Bangladesh's central bank had $81 million stolen from its account at the New York Federal Reserve in an attack executed by a group suspected to be linked to North Korea (see Report: DOJ Sees Bangladesh Heist Tie to North Korea).
GMV also says that the bug would be difficult to systematically exploit across an ATM network because an attacker would need to access certain memory addresses, depending on the version of the Windows kernel. Theoretically, the attack would work on XP, but it would be difficult on Windows 7, the company contends.
The patch is easy to remotely install using software deployment tools, GMV says. "We sent a security warning to our customers as soon as we generated a patch. In that note, we strongly recommended to apply this patch as soon as possible."