Diebold Nixdorf discovered a new form of attack on ATMs in Europe. The company’s security specialists warned of a variation of the black box attacks on ATMs, which attackers began to use in Belgium.
Black box attacks are a type of jackpotting attack, during which cybercriminals literally force an ATM to spit money. Such an attack can be carried out using malware installed in an ATM, or using a black box.This term usually refers to a laptop or a device based on a single-board microcomputer, which is used to connect to the internal components of the ATM (for access to ports, wiring, etc. criminals usually disassemble the case or cut a hole in it). Having connected to the machine, the attackers simply give the ATM command to “release” cash from the cassettes in which they are stored.
Diebold Nixdorf writes that so far, new attacks are only used against ProCash 2050xe ATMs, to which attackers connect via USB ports.
The company explains:
During recent incidents, attackers focused on street systems. They destroy parts of the front panel to gain physical access to the main compartment. Then they disconnect the USB cable connecting the CMD-V4 dispenser and the special electronics, or the cable between the special electronics and the computer of the ATM. This cable connects to the black box of intruders to send cash withdrawal commands”
However, not this attracted the attention of specialists. The fact is that attackers usually use malware or their own code to interact with the components of the ATM, but now the hackers seem to get a copy of the legitimate software (firmware) of the ATMs, which they installed on the black box and used to interact with the machines.
While the investigation of the incidents is still ongoing, but Diebold Nixdorf believes that hackers could connect to some ATM and find that its software was stored on an unencrypted hard drive.
ZDNet refers to its own sources in the banking sector and reports that the warning issued by the manufacturer is directly related to the investigation of a number of jackpot attacks that occurred in Belgium in June-July 2020.
These attacks (two cases of strange jackpotting) forced the Belgian bank Argenta to suspend the operation of 143 ATMs. Moreover, local media wrote that only Diebold Nixdorf devices were attacked”, – told ZDNet reporters.
Telefonica’s banking specialist, Manuel Pintag, told reporters that this method of hacking ATMs is not unique in general, although it had previously been encountered not in Europe but in Latin America.
Recall that we recently wrote that the ProLock Ransomware Operators Also Attacked Diebold Nixdorf ATM Provider.