Cash-spitting ATM malware blamed on Cobalt hacking gang

It’s been a tough year security-wise for financial institutions around the world…

ATM malware spits out cash for Cobalt hacking gang

A security firm has accused a computer criminal collective called the Cobalt Group of having perpetrated ATM malware attacks across Europe.

In a report, the Russian security firm Group-IB names Cobalt as the most likely hacking gang behind a series of attacks that compromised ATMs in 14 countries, including the Netherlands, Poland, Romania, Russia, Spain, and Britain.

Group-IB based the name they have given the hacking gangs off "Cobalt Strike," a penetration testing tool which helped the attackers leverage banking computers infected by malicious emails to access specialized servers that control ATMs.

Cobalt strike

From those compromised servers, the Cobalt gang conducted what are known as "touchless jackpotting" attacks. The group essentially commanded the target ATMs to spit out cash, but it did so without physically manipulating the terminals. Everything was done remotely in a logical (i.e. malware), not a physical, attack.

Cobalt knew what it was doing, too. Sometimes, all it took was ten minutes for the threat actor to gain control over a financial organization's banking network.

Unfortunately, we don't know a lot about the Cobalt group at this time. According to Reuters, Group-IB thinks the group is connected to another computer criminal group called Buhtrap based upon the two collectives' use of similar tools and techniques.

Buhtrap stole 1.8 billion rubles ($28 million) from Russian banks from August 2015 to January 2016. It is believed to have done so using fraudulent wire transfers and not logical attacks.

SwiftTo be sure, Cobalt isn't the only group that has targeted banking infrastructure.

Cobalt's attacks constitute part of a growing crime wave against financial organizations, a surge which has included the use of malware to infect ATM hard disks and issue fraudulent money transfers via the SWIFT secure messaging provider.

Dmitry Volkov, Head of the Investigation Department and the Bot‑Trek Intelligence service, is concerned about the growing threat malware poses to banks. That's why he's urging financial organizations to upgrade their defenses against logical attacks:

"Logical attacks on ATMs are expected to become one of the key threats targeting banks: they enable cybercriminals to commit fraud remotely from anywhere globally and attack the whole ATM network without being 'on the radar' of security services. That said, this type of attack does not require development of expensive advanced software – a significant amount of the tools used are widely available on the deep web. Every bank is under threat of logical attacks on ATMs and should be protected accordingly."

The best way banks can protect themselves against malware attacks is by placing their ATMs inside a building that's in full-view of a security camera. That won't deter a determined criminal, but it will certainly raise the stakes for attackers with more to lose.

Banks should also train their employees to be on the lookout for common threats like targeted attacks. It sounds like Cobalt likes to use malicious email attachments exploiting Microsoft Word vulnerabilities to gain a foothold into a target organization's network.

If employees know how to spot suspicious emails, a group like Cobalt won't be able to access an organization's ATM servers. They will therefore need to conduct their attacks locally, which is certainly more risky.

Just as an added layer of defense, banks should also use email filters and blacklists to reduce the chance that malicious emails will ever reach their employees.

Tags: , , ,

Smashing Security audio podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

Listen now

Subscribe to the free GCHQ newsletter

, , ,

One Response

  1. Mark Jacobs

    November 23, 2016 at 11:28 am #

    So, the suggestion is to increase camera deployment and spy on all cash machine withdrawals everywhere. As if we haven't got enough cameras looking at everyone… And when it comes to the crunch, half of them don't work anyway. And unpatched cameras can be hacked to "turn a blind eye". And authorities never seem to be able to get incriminating footage when terrorist or other major events happen (c.f. Princess Diana tunnel cameras in France) … Sorry, I'm rambling again! ;-)

Leave a Reply