Tag: atm | SpinSafe

Remote ATM hacking possible with Iagona ScrutisWeb bugs

August 16, 2023/in Internet Security

ATMs impacted by four Iagona ScrutisWeb ATM fleet monitoring system flaws, which have been remediated last month, could be subjected to remote hacking attacks, reports SecurityWeek.

Attackers could leverage the vulnerabilities, tracked as CVE-2023-33871, CVE-2023-38257, CVE-2023-35763, and CVE-2023-35189, to facilitate server data acquisition, arbitrary command execution, and encrypted admin password procurement and decryption, which could then be used to monitor connected ATMs and execute various malicious activities, according to a report from Synack Red Team members who discovered the security bugs.

“Additional exploitation from this foothold in the client’s infrastructure could occur, making this an internet-facing pivot point for a malicious actor,” said researcher Neil Graves, who added that further study is needed to determine the possibility of a custom software upload to allow the exfiltration of cards and redirection of Swift transfers.

Organizations have already been warned by the Cybersecurity and Infrastructure Security Agency regarding the flaws last month.

Source…

Millions Stolen in Hack at Cryptocurrency ATM Manufacturer General Bytes

March 20, 2023/in Computer Security

Cryptocurrency ATM manufacturer General Bytes over the weekend disclosed a security incident that resulted in the theft of millions of dollars’ worth of funds.

The attackers, the company says, exploited a vulnerability in the master service interface that Bitcoin ATMs use to upload videos, which allowed them to upload a JavaScript script and execute it with batm user privileges.

“The attacker scanned the Digital Ocean cloud hosting IP address space and identified running CAS services on ports 7741, including the General Bytes Cloud service and other GB ATM operators running their servers on Digital Ocean (our recommended cloud hosting provider),” the company says.

The code execution provided the attackers with access to the database and access to API keys for accessing funds in hot wallets and exchanges.

The attackers were then able to transfer funds from hot wallets, steal account usernames and password hashes, and disable two-factor authentication.

Furthermore, the attackers gained the “ability to access terminal event logs and scan for any instance where customers scanned private key at the ATM”, information that was logged by older versions of ATM software.

“We urge all our customers to take immediate action to protect their funds and personal information,” General Bytes tweeted on March 18. The incident prompted most ATM operators in the US to suspend operations.

In a security bulletin detailing the incident, the company has shared information on the steps customers should take to secure their GB ATM servers (CAS) and underlined that even those that might not have been impacted by the incident should implement the recommended security measures.

“Please keep your CAS behind a firewall and VPN. Terminals should also connect to CAS via VPN. With VPN/Firewall attackers from open internet cannot access your server and exploit it. If your server was breached please reinstall the whole server including operation system,” the company notes.

The crypto ATM maker released a CAS security fix and urged customers to consider all user passwords and API keys to exchanges and hot wallets as being compromised and to change them. The company also shared the crypto…

Source…

Gang hacks into ATM in Delhi, uses malware to siphon off Rs 5 lakh | Delhi News

February 12, 2023/in Computer Security

NEW DELHI: An ATM in Mayur Vihar was hacked and more than Rs five lakh were stolen from it by fraudsters. Police have registered a case in this regard.
The complainant in the case told cops that an ATM near Mayur Vihar Phase-1 was affected by a malware attack. The investigators claimed that the accused used malware to infect the system and stole Rs. 5.6 lakh. “Transactions went unrecorded by the server or ATM log due to the malware that was installed into the ATM system,” the complainant told cops.
The fraudsters visited the ATM and turned it offline. Cops are suspecting that they disconnected the local area network (LAN) and then installed a malware into the machine’s system. The fraudsters carried out transactions for more than an hour. “All transactions at the switch level were declined but, at the same time, cash was withdrawn. They used some expired ATM cards to carry out the transactions,” the complainant said.
The fraudster has done multiple random transactions of Rs 10,000, however, the cash dispensed for these transactions was Rs 20,000 for each transaction. “Instead of 20 notes of Rs 500 that had to be dispensed, 40 notes got dispensed,” the complainant added.
A similar incident was reported from an ATM installed in Ghaziabad, where the accused illegally withdrew Rs 5.6 lakh. By fudging the system with malware, the accused could cause withdrawals that are not recorded by the server or ATM log, police said.

Source…

Hackers Target Bank Networks with new Rootkit to Steal Money from ATM Machines

March 18, 2022/in Computer Security

A financially motivated threat actor has been observed deploying a previously unknown rootkit targeting Oracle Solaris systems with the goal of compromising Automatic Teller Machine (ATM) switching networks and carrying out unauthorized cash withdrawals at different banks using fraudulent cards.

Threat intelligence and incident response firm Mandiant is tracking the cluster under the moniker UNC2891, with some of the group’s tactics, techniques, and procedures sharing overlaps with that of another cluster dubbed UNC1945.

The intrusions staged by the actor involve “a high degree of OPSEC and leverage both public and private malware, utilities, and scripts to remove evidence and hinder response efforts,” Mandiant researchers said in a new report published this week.

Even more concerningly, the attacks spanned several years in some cases, during the entirety of which the actor remained undetected by leveraging a rootkit called CAKETAP, which is designed to conceal network connections, processes, and files.

Mandiant, which was able to recover memory forensic data from one of the victimized ATM switch servers, noted that one variant of the kernel rootkit came with specialized features that enabled it to intercept card and PIN verification messages and use the stolen data to perform fraudulent cash withdrawals from ATM terminals.

Also put to use are two backdoors known as SLAPSTICK and TINYSHELL, both attributed to UNC1945 and are used to gain persistent remote access to mission-critical systems as well as shell execution and file transfers via rlogin, telnet, or SSH.

“In line with the group’s familiarity with Unix and Linux based systems, UNC2891 often named and configured their TINYSHELL backdoors with values that masqueraded as legitimate services that might be overlooked by investigators, such as systemd (SYSTEMD), name service cache daemon (NCSD), and the Linux at daemon (ATD),” the researchers pointed out.

Additionally, the attack chains have employed a variety of malware and publicly-available utilities, including –

STEELHOUND – A variant of the STEELCORGI in-memory dropper that’s used to decrypt an embedded payload and encrypt new binaries
WINGHOOK – A keylogger for…

Source…

Tag Archive for: atm