SlideShare a Scribd company logo

ATM Compromise with and without Whitelisting

Alexandru Gherman
Alexandru Gherman

ATM compromise through the use of malicious software is on the increase across the world. At EAST FCS 2015 a demonstration showed how a Windows ATM platform can be compromised by known malware. The demo featured a virtual ATM machine running on Windows 7, emulating a XFS layer.

Related slideshows

CONFidence 2014: Yaniv Miron: ATMs – We kick their ass
CONFidence 2014: Yaniv Miron: ATMs – We kick their assCONFidence 2014: Yaniv Miron: ATMs – We kick their ass
CONFidence 2014: Yaniv Miron: ATMs – We kick their ass
 
Neo900: Crafting The Private Phone
Neo900: Crafting The Private PhoneNeo900: Crafting The Private Phone
Neo900: Crafting The Private Phone
 
Disabling Ports 135 and 445 to protect the Road Warrior
Disabling Ports 135 and 445 to protect the Road WarriorDisabling Ports 135 and 445 to protect the Road Warrior
Disabling Ports 135 and 445 to protect the Road Warrior
 
1 of 24
Download to read offline
ATM  Compromise  with  or  without  Whitelisting
Agenda   1.  whoami   2.  Application  Whitelisting   3.  Threat  -­‐  ATM  Jackpotting  malware   4.  Software  mitigations  have  improved  but  we  still  see   weaknesses   5.  Recommendations   23/06/15 2© FortConsult
whoami   Alexandru  Gherman   Head  of  Research  |  Principal  Security  Consultant   FortConsult  Denmark  |  NCC  Group   Reverse  engineering  *  Firmware  *  UEFI  *  Finding  Bugs  *  Malware  analysis     @alexgherman     23/06/15 © NCC Group 3
What  we  do  @FortConsult   Ø  Reverse  engineering   Ø  Penetration  Testing   Ø  ATM  security  testing  (Physical  and  Software  attacks)   Ø  Security  assessments   Ø  Audits  *  Source  Code  Review  *  Static  and  dynamic  analysis   Ø  Hardware  security  testing  -­‐  ATM  controllers,  CCTV,  Bluetooth,   Smart  TV,  Physical  Security  and  other  smart  devices   Ø  Malware  analysis   Ø  Threat  analysis  and  research  *  Incident  Response  *  Forensics       23/06/15 © NCC Group 4
Application  Whitelisting       23/06/15 5© FortConsult ♦  Appropriate  for  ATM  devices   ♦  It  blocks  each  load/execute  attempt   (hooks  into  Windows  APIs  such  as  LoadLibrary,  WinExec,  CreateProcess)   ♦  Unique  way  to  secure  against  unauthorized  software   ♦  Reduces  the  risk  but  does  not  make  the  solution  infallible  to   buffer  overflow  type  of  attacks    
However  there  is  still  a  risk     23/06/15 6© FortConsult Only one of these has to be vulnerable … So that a system could be compromised! Why? Still buffer overflows and other development errors…
  23/06/15 7© FortConsult
Still  vulnerable  on  the  network     23/06/15 8© FortConsult
Tyupkin  Malware  –  Backdoor.MSIL.Tyupkin   ♦  What  is  Tyupkin  ?   ♦  Stage  1       §  Physical  access  to  the  ATM   §  Insert  bootable  CD   §  Once  the  ATM  is  rebooted  the  infected  ATM  is  under  control   ♦  Stage  2   §  Infinite  loop  waiting  for  a  command   §  Only  accepts  commands    at  specific  times     23/06/15 © FortConsult 9
Tyupkin  Malware  –  Backdoor.MSIL.Tyupkin     23/06/15 © FortConsult 10
23/06/15 © NCC Group 11 Tyupkin  Malware  –  Backdoor.MSIL.Tyupkin  
23/06/15 © NCC Group 12
  23/06/15 13© FortConsult Bypassing  Whitelisting  can  lead   to  jackpotting     Ø  FortConsult  performed  a  lot  of  research  and  developed  own  XFS-­‐ compliant  code   Ø  Although  we  worked  with  ATM  emulated  environments,  what  we   developed,  seems  to  work  on  any  XFS  compliant  ATM!   Ø  Administrative  privilege  is  not  necessarily  required  to  jackpot   Ø  Let  us  try  it  with  your  setup  ?  J    
  23/06/15 14© FortConsult
  All  this  can  happen  while  offline  and  without   network  connectivity!   Without  being  monitored…     On  a  priority  scale,  you  don't  need  O-­‐day  detection,  you  need  compromise   detection  first.  Knowing  how  you  were  compromised  is  less  important  than   knowing  that  you  were.     23/06/15 © NCC Group 15
The  path  to  the  risk   ♦  In  every  application  there  are  design/development  Errors   ♦  It  takes  only  “whitelisted”  vulnerable  applications  and  other  underlying   components  to  compromise  a  system   ♦  “Buffer  overflow  detections”  don’t  work  always  as  advertised   ♦  Exploitation   §  Develop  exploit   §  Control  EIP   §  Gain  arbitrary  code  execution         23/06/15 16© FortConsult
        23/06/15 17© FortConsult Unlike Tyupkin’s Physical Access, we used a buffer overflow in a Whitelisted Application! An attacker would always look for a door that allows a bypass!
Software  Development     ♦  Software  mitigations  introduced  in  Windows  Vista/7/8  are  good,  but  they   are  not  invincible         23/06/15 18© FortConsult ASLR in Windows!
Demo  time!         23/06/15 19© FortConsult
Recommendations  ?   Probably  not  Uninstall/Disable.  It’s  still  one  of  the  Only!   If  not,  probably  the  best  right  now!      Ø  Thorough  application  inventory  review  of  all  the  applications  installed  on  the  ATM   Ø  Internet  Explorer   Ø  Java/Flash  Runtime  engines   Ø  Image  renderers,  Virtual  Browsers   Ø  Communications  and  message  parsers   Ø  ATM  security  test  (Blackbox/Greybox)   Ø  Physical  attacks   Ø  Network  attacks   Ø  Application  attacks   Ø  Source  Code  review  of  the  custom  applications  installed        23/06/15 20© FortConsult
Recommendations  ?   Probably  not  Uninstall/Disable.  It’s  still  one  of  the  Only!   If  not,  probably  the  best  right  now!      Ø  Build  a  Lockdown  Suite  of  Security  Controls  formed  out  of  a   corroboration  of   Ø  Windows  Security  Features  (through  use  of  ASLR;  DEP,  Stack  Canaries)   Ø  Disk  Encryption   Ø  Whitelisting   Ø  And  other  security  controls  which  we  usually  see  Unleveraged!     Ø  We  can  help  you  Here!         23/06/15 21© FortConsult
Europe   Manchester    -­‐  Head  Office   Amsterdam   Cheltenham       Copenhagen   Edinburgh     Leatherhead     London   Luxembourg   Milton  Keynes   Munich   Zurich   Sweden   Vilnius   Portugal       North  America   Atlanta   Austin   Chicago   New  York   San  Francisco   Seattle   Sunnyvale   Australia   Sydney     Russia     Moscow  
      A  very  special  thank  you  to  the  expert  team  at  KAL  ATM  Software,  they  are   one  of  the  only  companies  worldwide  who  support  advanced  testing  and   research.           23/06/15 © NCC Group 23
23/06/15 © NCC Group 24

More Related Content

ATM Compromise with and without Whitelisting

  • 1. ATM  Compromise  with  or  without  Whitelisting
  • 2. Agenda   1.  whoami   2.  Application  Whitelisting   3.  Threat  -­‐  ATM  Jackpotting  malware   4.  Software  mitigations  have  improved  but  we  still  see   weaknesses   5.  Recommendations   23/06/15 2© FortConsult
  • 3. whoami   Alexandru  Gherman   Head  of  Research  |  Principal  Security  Consultant   FortConsult  Denmark  |  NCC  Group   Reverse  engineering  *  Firmware  *  UEFI  *  Finding  Bugs  *  Malware  analysis     @alexgherman     23/06/15 © NCC Group 3
  • 4. What  we  do  @FortConsult   Ø  Reverse  engineering   Ø  Penetration  Testing   Ø  ATM  security  testing  (Physical  and  Software  attacks)   Ø  Security  assessments   Ø  Audits  *  Source  Code  Review  *  Static  and  dynamic  analysis   Ø  Hardware  security  testing  -­‐  ATM  controllers,  CCTV,  Bluetooth,   Smart  TV,  Physical  Security  and  other  smart  devices   Ø  Malware  analysis   Ø  Threat  analysis  and  research  *  Incident  Response  *  Forensics       23/06/15 © NCC Group 4
  • 5. Application  Whitelisting       23/06/15 5© FortConsult ♦  Appropriate  for  ATM  devices   ♦  It  blocks  each  load/execute  attempt   (hooks  into  Windows  APIs  such  as  LoadLibrary,  WinExec,  CreateProcess)   ♦  Unique  way  to  secure  against  unauthorized  software   ♦  Reduces  the  risk  but  does  not  make  the  solution  infallible  to   buffer  overflow  type  of  attacks    
  • 6. However  there  is  still  a  risk     23/06/15 6© FortConsult Only one of these has to be vulnerable … So that a system could be compromised! Why? Still buffer overflows and other development errors…
  • 8. Still  vulnerable  on  the  network     23/06/15 8© FortConsult
  • 9. Tyupkin  Malware  –  Backdoor.MSIL.Tyupkin   ♦  What  is  Tyupkin  ?   ♦  Stage  1       §  Physical  access  to  the  ATM   §  Insert  bootable  CD   §  Once  the  ATM  is  rebooted  the  infected  ATM  is  under  control   ♦  Stage  2   §  Infinite  loop  waiting  for  a  command   §  Only  accepts  commands    at  specific  times     23/06/15 © FortConsult 9
  • 10. Tyupkin  Malware  –  Backdoor.MSIL.Tyupkin     23/06/15 © FortConsult 10
  • 11. 23/06/15 © NCC Group 11 Tyupkin  Malware  –  Backdoor.MSIL.Tyupkin  
  • 12. 23/06/15 © NCC Group 12
  • 13.   23/06/15 13© FortConsult Bypassing  Whitelisting  can  lead   to  jackpotting     Ø  FortConsult  performed  a  lot  of  research  and  developed  own  XFS-­‐ compliant  code   Ø  Although  we  worked  with  ATM  emulated  environments,  what  we   developed,  seems  to  work  on  any  XFS  compliant  ATM!   Ø  Administrative  privilege  is  not  necessarily  required  to  jackpot   Ø  Let  us  try  it  with  your  setup  ?  J    
  • 15.   All  this  can  happen  while  offline  and  without   network  connectivity!   Without  being  monitored…     On  a  priority  scale,  you  don't  need  O-­‐day  detection,  you  need  compromise   detection  first.  Knowing  how  you  were  compromised  is  less  important  than   knowing  that  you  were.     23/06/15 © NCC Group 15
  • 16. The  path  to  the  risk   ♦  In  every  application  there  are  design/development  Errors   ♦  It  takes  only  “whitelisted”  vulnerable  applications  and  other  underlying   components  to  compromise  a  system   ♦  “Buffer  overflow  detections”  don’t  work  always  as  advertised   ♦  Exploitation   §  Develop  exploit   §  Control  EIP   §  Gain  arbitrary  code  execution         23/06/15 16© FortConsult
  • 17.         23/06/15 17© FortConsult Unlike Tyupkin’s Physical Access, we used a buffer overflow in a Whitelisted Application! An attacker would always look for a door that allows a bypass!
  • 18. Software  Development     ♦  Software  mitigations  introduced  in  Windows  Vista/7/8  are  good,  but  they   are  not  invincible         23/06/15 18© FortConsult ASLR in Windows!
  • 19. Demo  time!         23/06/15 19© FortConsult
  • 20. Recommendations  ?   Probably  not  Uninstall/Disable.  It’s  still  one  of  the  Only!   If  not,  probably  the  best  right  now!      Ø  Thorough  application  inventory  review  of  all  the  applications  installed  on  the  ATM   Ø  Internet  Explorer   Ø  Java/Flash  Runtime  engines   Ø  Image  renderers,  Virtual  Browsers   Ø  Communications  and  message  parsers   Ø  ATM  security  test  (Blackbox/Greybox)   Ø  Physical  attacks   Ø  Network  attacks   Ø  Application  attacks   Ø  Source  Code  review  of  the  custom  applications  installed        23/06/15 20© FortConsult
  • 21. Recommendations  ?   Probably  not  Uninstall/Disable.  It’s  still  one  of  the  Only!   If  not,  probably  the  best  right  now!      Ø  Build  a  Lockdown  Suite  of  Security  Controls  formed  out  of  a   corroboration  of   Ø  Windows  Security  Features  (through  use  of  ASLR;  DEP,  Stack  Canaries)   Ø  Disk  Encryption   Ø  Whitelisting   Ø  And  other  security  controls  which  we  usually  see  Unleveraged!     Ø  We  can  help  you  Here!         23/06/15 21© FortConsult
  • 22. Europe   Manchester    -­‐  Head  Office   Amsterdam   Cheltenham       Copenhagen   Edinburgh     Leatherhead     London   Luxembourg   Milton  Keynes   Munich   Zurich   Sweden   Vilnius   Portugal       North  America   Atlanta   Austin   Chicago   New  York   San  Francisco   Seattle   Sunnyvale   Australia   Sydney     Russia     Moscow  
  • 23.       A  very  special  thank  you  to  the  expert  team  at  KAL  ATM  Software,  they  are   one  of  the  only  companies  worldwide  who  support  advanced  testing  and   research.           23/06/15 © NCC Group 23
  • 24. 23/06/15 © NCC Group 24