ATM Compromise with and without Whitelisting

Transcript

1. ATM  Compromise  with  or  without  Whitelisting

2. Agenda   1.  whoami   2.  Application  Whitelisting   3. 

   Threat  -­‐  ATM  Jackpotting  malware   4.  Software  mitigations  have  improved  but  we  still  see   weaknesses   5.  Recommendations   23/06/15 2 © FortConsult

3. whoami   Alexandru  Gherman   Head  of  Research  |  Principal

    Security  Consultant   FortConsult  Denmark  |  NCC  Group   Reverse  engineering  *  Firmware  *  UEFI  *  Finding  Bugs  *  Malware  analysis     @alexgherman     23/06/15 © NCC Group 3

4. What  we  do  @FortConsult   Ø  Reverse  engineering   Ø 

   Penetration  Testing   Ø  ATM  security  testing  (Physical  and  Software  attacks)   Ø  Security  assessments   Ø  Audits  *  Source  Code  Review  *  Static  and  dynamic  analysis   Ø  Hardware  security  testing  -­‐  ATM  controllers,  CCTV,  Bluetooth,   Smart  TV,  Physical  Security  and  other  smart  devices   Ø  Malware  analysis   Ø  Threat  analysis  and  research  *  Incident  Response  *  Forensics       23/06/15 © NCC Group 4

5. Application  Whitelisting       23/06/15 5 © FortConsult ♦ 

   Appropriate  for  ATM  devices   ♦  It  blocks  each  load/execute  attempt   (hooks  into  Windows  APIs  such  as  LoadLibrary,  WinExec,  CreateProcess)   ♦  Unique  way  to  secure  against  unauthorized  software   ♦  Reduces  the  risk  but  does  not  make  the  solution  infallible  to   buffer  overflow  type  of  attacks    

6. However  there  is  still  a  risk     23/06/15 6

   © FortConsult Only one of these has to be vulnerable … So that a system could be compromised! Why? Still buffer overflows and other development errors…

7.   23/06/15 7 © FortConsult

8. Still  vulnerable  on  the  network     23/06/15 8 ©

   FortConsult

9. Tyupkin  Malware  –  Backdoor.MSIL.Tyupkin   ♦  What  is  Tyupkin  ?

     ♦  Stage  1       §  Physical  access  to  the  ATM   §  Insert  bootable  CD   §  Once  the  ATM  is  rebooted  the  infected  ATM  is  under  control   ♦  Stage  2   §  Infinite  loop  waiting  for  a  command   §  Only  accepts  commands    at  specific  times     23/06/15 © FortConsult 9

10. Tyupkin  Malware  –  Backdoor.MSIL.Tyupkin     23/06/15 © FortConsult 10

11. 23/06/15 © NCC Group 11 Tyupkin  Malware  –  Backdoor.MSIL.Tyupkin  

12. 23/06/15 © NCC Group 12

13.   23/06/15 13 © FortConsult Bypassing  Whitelisting  can  lead  

    to  jackpotting     Ø  FortConsult  performed  a  lot  of  research  and  developed  own  XFS-­‐ compliant  code   Ø  Although  we  worked  with  ATM  emulated  environments,  what  we   developed,  seems  to  work  on  any  XFS  compliant  ATM!   Ø  Administrative  privilege  is  not  necessarily  required  to  jackpot   Ø  Let  us  try  it  with  your  setup  ?  J    

14.   23/06/15 14 © FortConsult

15.   All  this  can  happen  while  offline  and  without  

    network  connectivity!   Without  being  monitored…     On  a  priority  scale,  you  don't  need  O-­‐day  detection,  you  need  compromise   detection  first.  Knowing  how  you  were  compromised  is  less  important  than   knowing  that  you  were.     23/06/15 © NCC Group 15

16. The  path  to  the  risk   ♦  In  every  application

     there  are  design/development  Errors   ♦  It  takes  only  “whitelisted”  vulnerable  applications  and  other  underlying   components  to  compromise  a  system   ♦  “Buffer  overflow  detections”  don’t  work  always  as  advertised   ♦  Exploitation   §  Develop  exploit   §  Control  EIP   §  Gain  arbitrary  code  execution         23/06/15 16 © FortConsult

17.         23/06/15 17 © FortConsult Unlike Tyupkin’s

    Physical Access, we used a buffer overflow in a Whitelisted Application! An attacker would always look for a door that allows a bypass!

18. Software  Development     ♦  Software  mitigations  introduced  in  Windows

     Vista/7/8  are  good,  but  they   are  not  invincible         23/06/15 18 © FortConsult ASLR in Windows!

19. Demo  time!         23/06/15 19 © FortConsult

20. Recommendations  ?   Probably  not  Uninstall/Disable.  It’s  still  one  of

     the  Only!   If  not,  probably  the  best  right  now!       Ø  Thorough  application  inventory  review  of  all  the  applications  installed  on  the  ATM   Ø  Internet  Explorer   Ø  Java/Flash  Runtime  engines   Ø  Image  renderers,  Virtual  Browsers   Ø  Communications  and  message  parsers   Ø  ATM  security  test  (Blackbox/Greybox)   Ø  Physical  attacks   Ø  Network  attacks   Ø  Application  attacks   Ø  Source  Code  review  of  the  custom  applications  installed         23/06/15 20 © FortConsult

21. Recommendations  ?   Probably  not  Uninstall/Disable.  It’s  still  one  of

     the  Only!   If  not,  probably  the  best  right  now!       Ø  Build  a  Lockdown  Suite  of  Security  Controls  formed  out  of  a   corroboration  of   Ø  Windows  Security  Features  (through  use  of  ASLR;  DEP,  Stack  Canaries)   Ø  Disk  Encryption   Ø  Whitelisting   Ø  And  other  security  controls  which  we  usually  see  Unleveraged!     Ø  We  can  help  you  Here!         23/06/15 21 © FortConsult

22. Europe   Manchester    -­‐  Head  Office   Amsterdam  

    Cheltenham       Copenhagen   Edinburgh     Leatherhead     London   Luxembourg   Milton  Keynes   Munich   Zurich   Sweden   Vilnius   Portugal       North  America   Atlanta   Austin   Chicago   New  York   San  Francisco   Seattle   Sunnyvale   Australia   Sydney     Russia     Moscow  

23.       A  very  special  thank  you  to  the

     expert  team  at  KAL  ATM  Software,  they  are   one  of  the  only  companies  worldwide  who  support  advanced  testing  and   research.           23/06/15 © NCC Group 23

24. 23/06/15 © NCC Group 24