'Ripper' ATM Malware: Where Will Cybercriminals Strike Next?Asian Banks Get Stung; Expert Predicts More Attacks
Daniel Regalado, a FireEye senior staff malware researcher, had a feeling something was going wrong somewhere in the world when he saw the alert: A never-seen-before type of malicious software designed to steal money from ATMs had been detected.
An hour later, the first news report arrived: Three groups of men had scattered through six provinces in Thailand, commanding 21 ATMs to disgorge a total of 12 million baht ($350,000). (See New 'Ripper' Malware Fueled Thai ATM Attacks.) The incident had an eerie familiarity: In mid-July, $2.2 million was stolen from dozens of ATMs in Taiwan in a flash strike that sent shivers through the banking industry (see Taiwan Heist Highlights ATM Weaknesses).
Regalado, an expert in ATM malware, has watched as cybercriminals have had astounding ATM-draining success in countries such as Mexico and Ukraine. The attacks have highlighted the failings of some banks to secure their ATMs, most of which still run Microsoft's retired Windows XP operating system.
FireEye's alert was generated by a custom system it has developed that quickly classifies malware uploaded to Google's VirusTotal repository by its intentions. VirusTotal indicated that the malicious file, nicknamed "Ripper" by FireEye, had been uploaded from Thailand.
"It was like a movie, but it was real," Regalado says. "An hour later, I started seeing the news. I said, 'Wait a minute. Thailand.'"
Ripper isn't that different from other kinds of ATM malware, Regalado says. The aim of such programs is generally to direct the machine to dispense its cash, via what's often referred to as a "jackpotting" or "cash out" attack.
But the new malware has some key characteristics that link it to reported observations of the criminals in Thailand and Taiwan. News reports have indicated that the thieves used the ATM like anyone else, inserting a payment card into the ATM's slot. Regalado, who wrote a blog post detailing Ripper's innards, quickly suspected that Ripper was used in both incidents.
Digging into Ripper's code reveals what is going on. The criminals use EMV payment cards that have been encoded to authenticate the card to malware that's already been installed on the ATM. The chip says to the malware: "I'm here. Let's drain this machine."
Once an attacker inserts a special EMV card, the malware grants them access to a range of functions. By entering preset codes into the keypad, they can access a menu of options, including dispensing currency. There's also a twist to the malware: It disables network access to foil real-time anti-fraud detection systems on the bank's side.
Ripper's code doesn't indicate how it's installed on the ATMs, Regalado says. But the malware-distribution method became clear after one affected ATM vendor, NCR, provided the most detailed information yet on the Thailand attacks .
NCR says the network of Government Savings Bank, one of Thailand's largest financial institutions, was breached. Once the attackers were inside the bank's network, they delivered Ripper malware to ATMs via the bank's software distribution tool, built by InfoMindz. After related ATM heists were spotted, the bank reportedly shut down 3,300 of its NCR-built ATMs, which comprise nearly half of its 7,000-machine fleet. The bank says it expects to have the ATMs scrubbed and back in service in September.
One Ripper For All
Both FireEye and NCR have confirmed that Ripper is compatible with ATMs made by two other major vendors aside from NCR, although they have declined to identify the other two vendors. As far as ATM malware goes, Regalado says Ripper is unique because it works with all three vendors' ATMs with no customization.
All ATMs support APIs known as XFS, for Extensions for Financial Services, which is a middleware specification that defines how hardware on ATMs - including text displays, card readers, PIN pads, safes and dispenser units - talk to the host Windows operating system, Regalado says.
ATM vendors often run their own customized version of XFS. The developer of Ripper has coded the malware with an interface that adheres to the public XFS specification, allowing the malware to be cross-compatible with ATM vendor software but also, for example, talk to the cash dispenser.
Regalado says a way to stop this problem is to restrict ATMs' XFS implementations from talking to other XFS interfaces. "That way, these guys should not be able to just play with the standard," Regalado says.
Unfortunately, when an attacker issues a request via the XFS interface to dispense money, anti-virus software won't flag that request, Regalado says, because it looks like normal behavior. What needs to happen, he says, is for ATMs to begin authenticating interfaces, so that requests made by a new XFS interface would by default be blocked.
Cataloging ATM Weaknesses
ATM malware has been around since 2009, when Kaspersky Lab discovered malicious software called Skimer. But what is significant about the Taiwan and Thailand attacks is that both involved crews of criminals hitting fleets of ATMs, which had been pre-infected with malware, in coordinated strikes.
Experts have warned that ATMs have long been a weak point in the banking infrastructure. The use of the aging, embedded versions of Windows XP is one major problem, although that is not exclusively to blame.
Because ATMs are computers, the devices face various computer-attack vectors, including cracking open the lock to gain access to a USB port and exploiting insecure network configurations. Other attacks, meanwhile, have included dragging ATMs out of walls using chains attached to pickup trucks and later cracking open the interior safes with power tools. Some robbers, meanwhile, simply pump explosive gas into the machine.
It's time-consuming and expensive to upgrade or replace ATMs, so it's not surprising that criminals are finding success in far-flung locales where the banking infrastructure and related security practices may be less advanced.
FireEye's Regalado predicts more attacks will soon come. Even if cybercriminals who attempt to gain access to ATMs via a bank's internal network strike out, there are other potential weaknesses to exploit. Criminals can always attempt to recruit bank employees and ATM technicians, not least in less-developed countries.
"It is not only that those countries are running old machines, it is also easier in those countries to hire people to install the malware," Regalado says. "That is a perfect combination."