Diebold ATM Terminals Jackpotted Using Machine’s Own Software

2020-07-21T12:13:14
ID THREATPOST:1BC44B2402EC1BF1456FABF7A161A915
Type threatpost
Reporter Elizabeth Montalbano
Modified 2020-07-21T12:13:14

Description

Cybercriminals are using software from leading ATM manufacturer Diebold in a series of hacks against cash terminals across Europe, forcing the machines to dispense cash to crooks.

Criminals using a black-box device common with these type of attacks have increased their activity across Europe by targeting Diebold’s ProCash 2050xe USB terminals, according to an Active Security Alert (PDF) by Diebold Nixdorf released last week.

The company believes that the device used in the attacks “contains parts of the software stack of the attacked ATM,” it said in its alert.

It’s as yet unclear about how attackers gained access to the internal software of the machines, according to Diebold. However, a previous offline attack against an unencrypted hard disc of the machine could be to blame, according to the alert.

So called Jackpotting attacks are those in which cybercriminals find a way to hack into an ATM machine to trigger the machine to release cash, much like a slot machine at a casino–hence the name.

There are a number of ways cybercriminals can target cash terminals with these attacks.

The recent attacks observed by Diebold are black-box dispenser attacks, with threat actors focusing on outdoor systems, destroying parts of their facades to gain physical access to the control panel of the machines.

To jackpot the machine, criminals unplug the USB cable that connects the CMD-V4 dispenser of the terminals and their electronic systems and connect them to the black box so they can “send illegitimate dispense commands.”

There are several other ways that cybercrininals can jackpot cash machines, including another black-box technique that plugs into network cables on the exterior of an ATM to record cardholder information. In this way, attackers can change authorized withdrawal amounts from the host, or masquerading as the host system to discharge large amounts of cash.

At this time, it does not appear that cybercriminals in the current wave of Diebold attacks are accessing cardholder information, according to the company.

Another type of attack on cash machines is through phishing emails sent to network administrators at the financial institution that owns the machine. The emails attempt to install malware that can later use administrative software providing remote access to ATMs to install malware on terminals that cybercriminals use to jackpot them, according to Diebold.

Diebold is one of the top players in the ATM market, earning $3.3 billion in sales last year from its ATM business, which includes both selling and servicing machines around the world.

To mitigate attacks, Diebold made a few suggestions to terminal operators, including advising them to implement the latest protection on the machines by using only software updated with current security functionality and ensuring encryption is active on the terminal.

The company also advised customers to implement hard-disk encryption mechanisms to protect the terminal from software modification and offline attacks, as well as limit physical access to the machine to prevent access by destroying the machine facade, as occurred in the current spate of jackpotting attacks.