A cyber criminal collective known as the Cobalt Group is suspected to be behind the ATM malware “touchless jackpotting” attacks across 14 countries in Europe, including Netherlands, Russia, Britain, Poland, Romania and Spain. The group gets its name from their infamous penetration tool – “Cobalt Strike – Advanced Threat Tactics for Penetration Testers.” Infected ATMs spewed out cash without even being physically touched!!!
How the Attackers Infected the ATM Machines
The hackers typically initiated the malware infection through phishing and spearphishing attacks. They sent malware laced emails to employees working at the banks. If some how a cyber security naive-employee clicked on a malicious link in an email or opened an attachment then their system would get infected. Once the malware got a foot hold on a single system on the banking network, the perpetrators were successfully able to spread the infection to the banking server that controlled the ATMs, and that helped them attack the ATM machines and compromise ATM security.
In this attack, the cyber criminals themselves did not have to go to the individual ATM machines to plant the malware. Everything was done by remote. No physical attack at all. From the server, they spread the malware to specific ATM machines across Europe. This Cobalt Strike malware infected the hard drives of the ATM machines.
And at a desired time, the cyber criminal team sent a command to specific ATMs to spit out cash inside the machine. This money was collected by “money mules” who get a share of the whole amount collected.
The malware is so potent that once it just enters the financial network of any bank it can spread to the server. Group-IB, a Russian security firm, has linked the Touchless Jackpotting attacks to the Cobalt group. However, not much is presently known about this group. But, the cyber tools used suggest that there could possibly be some link between Cobalt and “Buhtrap”, another cyber criminal group that works on the similar kinds of attacks.
These kinds of attacks are dangerous as the complete attack happens logically; physical presence is not involved. When cybercriminals infected the banking servers they have also been able to compromise the SWIFT (a secure messaging provider) system to issue fraudulent money transfers through the SWIFT system. Some time back, hackers had purportedly transferred a huge amount money from the central bank of Bangladesh by compromising the SWIFT system. This is a warning to even highly secure fund transfer systems, as hackers seem to be able to get in any system.
Precautionary Measures to Ensure ATM Security
- Employee education – employees MUST be given sufficient education on cyber security measures, various types of malware attacks – phishing, spear phishing, spoofed mails, etc and malware removal. They must be taught how to identify fraudulent emails.
- To Prevent “Touchless Jackpotting” it is advisable to place ATMs in buildings that can be completely covered by security cameras. This could help deter these types of attacks, as the money collectors would get recorded on the cameras.
- Regular Patch management – updating ATM operating systems with the latest patches and employing effective security systems to detect and block malicious activity in real-time is another must needed security measure.