Vulnerabilities have recently been discovered by Eclypsium researchers in the pilots of automatic teller machines (ATMs) and cash registers.
In recent years, ATMs and cash registers (POS / POS) have been the target of many cybercriminal groups, and the amount of money stolen has peaked. If the attackers have developed several exploits to break into these machines, researchers are now alerting to the presence of vulnerabilities in the pilots of these materials which, according to them, could allow more persistent and even more damaging attacks.
Researchers at Eclypsium, a company specializing in device security, looked at the security of the drivers for these devices, these programs that allow applications to communicate with the hardware components of a system and to exploit their capacities. Over the past year, as part of their research project called Screwed Drivers, these researchers have found vulnerabilities and design flaws in 40 Windows drivers from at least 20 different hardware vendors, highlighting the scope of the problem posed by this attack surface.
A permeable Windows
Windows is often associated with servers, workstations and laptops. But many other types of devices run the Microsoft operating system. Windows is also widely used in the world of ATMs, point-of-sale terminals, self-service kiosks, medical systems, and other types of specialty equipment. These devices are generally more difficult to update because they are used in regulated industries and environments, so updates must pass strict tests and certifications. In addition, going offline for long periods of time can cause business disruption and financial loss.
In their report, researchers at Eclypsium recall that attacks on ATMs can take various forms: “Attackers can deliver malware by compromising the banking network connected to the device, the connection of the device to card processors, or by accessing the DAB’s internal computer. As with traditional attacks, attackers or malware often aim to gain elevated privileges on the targeted device to gain deeper access to the system. However, malicious or vulnerable pilots are very useful for this. By taking advantage of the features of insecure drivers, attacks or malware can allow the attacker to gain new privileges, gain access to information, and ultimately steal money or customer data. “
Vulnerability of a Diebold Nixdorf ATM driver
As part of their project, researchers at Eclypsium discovered a vulnerability in a pilot used by an ATM machine model from Diebold Nixdorf, one of the largest manufacturers of devices for the banking and commerce sectors. detail. The driver allows applications to access the various x86 input / output ports of this system. ATMs are nothing more than computers, except that they have specialized peripherals – card reader, PIN keyboard, network interfaces or safes – connected by different communication ports. By accessing the input / output ports via the vulnerable driver, an attacker can potentially read the data exchanged between the DAB computer and the devices connected in PCI. In addition, this driver can be used to update the BIOS, the low-level firmware on a computer, which starts before the operating system and initializes the hardware components. By exploiting this functionality, an attacker could deploy a BIOS rootkit which would not be destroyed by reinstallations of the operating system, and could thus set up a very persistent attack.
As far as the researchers are aware, the vulnerability has not been exploited in any actual attack, but according to their discussions with Diebold, they believe that the same driver is used in other models of ATMs and in ticketing systems. points of sale. Diebold, who worked with the researchers, released fixes for this pilot earlier this year. “This is just the tip of the iceberg of what can be done with malicious pilots,” said the researchers. “Our previous research had allowed us to identify pilots which, in addition to arbitrary I / O access, also allowed to read / write in memory, to debug and to control registers specific to a model, and to gain a arbitrary PCI access. Adding these capabilities to a vulnerable pilot could have a devastating impact on ATMs or POS / POS. Since many of the pilots running these devices have not been tested, it is likely that they contain vulnerabilities as yet unknown. “
Groups organized for the hacking of ATMs and PoS
Hackers have really targeted ATMs and cash registers. Cybercrime groups like Carbanak, which have specialized in the infiltration of financial organizations like banks, are slowly making their way into their ATM networks. These groups are methodical and patient, and they can spend months inside networks until they understand a victim’s work methods and how their systems work. When they finally decide to proceed with the theft, they send mules to collect money from the pirated distributors. In general, these flights take place overnight. Another group related to Carbanak, known as FIN7, specializes in hacking point-of-sale systems and targets businesses in the hotel and retail industries to steal payment card data. The group recently mailed malicious USB sticks to its targets claiming it was a gift from Best Buy.
Even ransomware gangs have taken an interest in these systems, as locking them up could allow them to put pressure on the companies concerned to pay the ransom. Last week, Symantec reported that Sodinokibi, an active hacker group known for its sophisticated ransomware attacks, has started scanning point-of-sale software and systems in the environments to which they have access.
Driver vulnerabilities such as those discovered by Eclypsium do not provide hackers with direct access to a system, but they can gain more privileges once they gain entry by some other method. As Carbanak, FIN7 and other groups of cybercriminals have repeatedly demonstrated, it is not so difficult to break into networks and systems, and there are different methods for doing so. “From the moment the hacker finds a vulnerability to break into the computer of an ATM, he can use it to obtain additional privileges and access to certain sub-interfaces that will allow him to do things more interesting, “said Jesse Michael, senior researcher at Eclypsium. “He will be able to communicate with other devices, for example a device he wants to access to perform operations that are part of his attack process. This amounts to creating a flaw in the protective layers of the device. ” Hiding malware in the BIOS to survive the reinstallation of the operating system could be very useful for some of these groups of seasoned cybercriminals, as they can repeatedly attack their targets.
Adopt security by design
More destructive attacks blocking the start of devices are also possible. “This boot driver communicates with the chipset’s Serial Peripheral Interface (SPI) controller to install BIOS updates, so if an attacker just wants to work around the system so that it doesn’t boot at all, it can write messages error in the boot block, “said Jesse Michael again. Ransomware attacks have in the past encrypted computers’ Master Boot Record (MBR), rendering them unusable until the victims have paid the ransom. To recover from an attack of this type, manual intervention is required, and in the case of geographically dispersed ATMs, the downtime can be significant. As for POS / POS point of sale systems, blocking them can also result in financial loss if all terminals in one store or in multiple stores suddenly stop working. Certain attacks, such as that of Shamoon which hit Saudi Aramco in 2012, or that of Sony Pictures in 2014 attributed to North Korea, were solely intended to disrupt normal commercial operations. Such attacks were used to manipulate and profit from a company’s share price.
Eclypsium research highlights a lack of security in the design of device drivers, as most of the problems noted are related to architectural flaws rather than vulnerabilities in the code. According to Jesse Michael, these problems are generally due to the fact that the developers are limited to meeting the commercial need, for example allowing an application to communicate with a hardware component, without putting in place the appropriate controls. “In most of these cases, people don’t really think about the consequences of misusing a feature,” said the senior researcher at Eclypsium. “The functionality is useful for the specific task it needs to accomplish, but they didn’t wonder if someone else could exploit it for malicious purposes or to do something other than what it was designed for” .