Viry a Červi

Internet of Ships falling down on security basics

Sophos Naked Security - 2 hodiny 50 min zpět
While most modern ships may not have physical leaks, they are catastrophically porous when it comes to cyber security.

Ex-TalkTalk chief grilled by MPs on suitability to chair NHS Improvement

The Register - Anti-Virus - 3 hodiny 25 min zpět
From heading one cyber-attack victim to another

Dido Harding, the woman at the helm during TalkTalk's 2015 mega breach, was yesterday grilled about her move to chair NHS Improvement, the body responsible for overseeing the UK's health service and also famously clobbered by a huge cyber attack.…

Kategorie: Viry a Červi

Europol cops lean on phone networks, ISPs to dump CGNAT walls that 'hide' cyber-crooks

The Register - Anti-Virus - 4 hodiny 26 min zpět
Plod say crims now too hard to find and catch online

Europol has asked cellphone networks and other internet providers to stop using Carrier Grade Network Address Translation (CGNAT) – because it’s making life too difficult for cops trying to track cyber-villains across the web.…

Kategorie: Viry a Červi

Oracle Hospitality apps rolled out the Big Red carpet to crims

The Register - Anti-Virus - 7 hodin 29 min zpět
Brrrt! Brrrt! Brrrt! Big Red's bug gun targets 252 bugs, and you for not patching fast enough

Hundreds of products, more than 250 vulnerabilities … yes, it's Oracle's quarterly critical patch update day!…

Kategorie: Viry a Červi

IRS tax bods tells Americans to chill out about Equifax

The Register - Anti-Virus - 8 hodin 33 min zpět
Your personal data was probably already in crims' hands

The United States Internal Revenue Service has said that citizens affected by the Equifax breach need not panic, because it probably didn't reveal anything that hasn't already been stolen and the agency has tooled up to deal with fraudulent tax claims.…

Kategorie: Viry a Červi

Domino's Pizza delivers user details to spammers

The Register - Anti-Virus - 11 hodin 9 min zpět
I’ll have a garlic bread, a Supreme and a side of privacy breach by slack partners

Domino's Pizza's Australian outpost has blamed a partner for a security breach, after angry customers went online complaining about finding themselves on spam lists.…

Kategorie: Viry a Červi

uBlock Origin ad-blocker knocked for blocking hack attack squawking

The Register - Anti-Virus - 12 hodin 15 min zpět
Block all the things! No, wait, not the XSS security alerts

Top ad-blocking plugin uBlock Origin has come under fire for being a little too eager in its quest to murder nasty stuff on the internet: it prevents browsers from sounding the alarm on hacking attacks.…

Kategorie: Viry a Červi

Watch out for Microsoft Word DDE nasties: Now Freddie Mac menaced

The Register - Anti-Virus - 12 hodin 46 min zpět
Forget KRACK, good ol' Office malware has biz workers in its sights again

Updated  Malware exploiting Microsoft Word's DDE features to infect computers has been lobbed at US government-backed mortgage biz Freddie Mac.…

Kategorie: Viry a Červi

Oracle Patches 250 Bugs in Quarterly Critical Patch Update

VirusList.com - 13 hodin 14 min zpět
Three critical SQL injection vulnerabilities in Oracle's popular E-Business Suite make up a part of 250 bugs patched for the company's quarterly Critical Patch Update,
Kategorie: Viry a Červi

Google Home Mini glitch triggers secret recordings

Sophos Naked Security - 17 Říjen, 2017 - 16:58
Artem Russakovskii's Google Home Mini recorded and uploaded every nearby sound over a two-day period

Lenovo Quietly Patches Massive Bug Impacting Its Android Tablets and Zuk, Vibe Phones

VirusList.com - 17 Říjen, 2017 - 15:00
Lenovo customers are being told to update their Android tablets and handsets to protect themselves against a handful of critical vulnerabilities impacting tens of millions of vulnerable Lenovo devices.
Kategorie: Viry a Červi

NHS: Remember those patient records we didn't deliver? Well, we found another 162,000

The Register - Anti-Virus - 17 Říjen, 2017 - 14:30
Dealing with backlog could cost 'in the zone of a million'

NHS leaders have admitted that the biggest ever loss of patient documents is worse than initially thought, as another 162,000 undelivered documents have been discovered.…

Kategorie: Viry a Červi

The fix is in for hackable voting machines: use paper

Sophos Naked Security - 17 Říjen, 2017 - 14:09
There should be a paper trail for every vote

ATM malware is being sold on Darknet market

Kaspersky Securelist - 17 Říjen, 2017 - 11:00

Disclaimer and warning

ATM systems appear to be very secure, but the money can be accessed fairly easily if you know what you are doing. Criminals are exploiting hardware and software vulnerabilities to interact with ATMs, meaning they need to be made more secure. This can be achieved with the help of additional security software, properly configured to stop the execution of non-whitelisted programs on ATMs.

Worryingly, it is very easy to find detailed manuals of ATM malware. Anybody can simply buy them for around 5000 USD on darknet markets.

Introduction

In May 2017, Kaspersky Lab researchers discovered a forum post advertising ATM malware that was targeting specific vendor ATMs. The forum contained a short description of a crimeware kit designed to empty ATMs with the help of a vendor specific API, without interacting with ATM users and their data. The post links to an offer that was initially published on the AlphaBay Darknet marketplace, which was recently taken down by the FBI.


Advertisement post


An offer post on AlphaBay market

The price of the kit was 5000 USD at the time of research. The AlphaBay description includes details such as the required equipment, targeted ATMs models, as well as tips and tricks for the malware’s operation. And part of a detailed manual for the toolkit was also provided.


Screenshot of a description on AlphaBay market

Previously described ATM malware Tyupkin was also mentioned in this text. The manual “Wall ATM Read Me.txt” was distributed as a plain text file, written in poor English and with bad text formatting. The use of slang and grammatical mistakes suggests that this text was most likely written by a native Russian-speaker.


Apart of a manual with text formatting applied

The manual provides a detailed picture, though only a fragment of the complete manual is being shown. There is a description for each step of the dispense process:

Prepare an all tools, all the programs should be placed on a flash disk.
Tools are wireless keyboard, usb hub, usb cable, usb adapter usb a female to b female, Windows 7 laptop or a tablet ( to run code generator) and a drill.
Find an appropriate ATM
Open ATM door and plug into USB port.
Execute Stimulator to see full information of all the ATM cassettes.
Execute CUTLET MAKER to get it is code.
Execute password generator on a tablet or on a laptop and paste CUTLET MAKER code to it, put the result password to CUTLET MAKER.
Dispense the money from chosen cassette.

The manual provides usage descriptions for all parts of the toolset. The list of crimeware from the kit consists of CUTLET MAKER ATM malware, the primary element, with a password generator included and a Stimulator – an application to gather cash cassette statuses of a target ATM. The crimeware kit is a collection of programs possibly written by different authors, though CUTLET MAKER and Stimulator were protected in the same way, c0decalc is a simple terminal-based application without any protection at all.

Delicious cutlet ingredients: CUTLET MAKER, c0decalc and Stimulator

The first sample was named “CUTLET MAKER” by its authors and has been designed to operate the cash dispense process on specific vendor ATMs.

To answer the question of how a cook from the CUTLET MAKER interface and cutlets relate to stealing money from ATMs, we must explain the meaning of the word “Cutlet“. Originally, it means a meat dish, but as a Russian slang term “Cutlet” (котлета) means “a bundle of money”, suggesting that the criminals behind the malware might be native Russian speakers.

The “Cutlet Maker” malware functionality suggests that two people are supposed to be involved in the theft – the roles are called “drop” and “drop master”. Access to the dispense mechanism of CUTLET MAKER is password protected. Though there could be just one person with the c0decalc application needed to generate a password. Either network or physical access to an ATM is required to enter the code in the application text area and also to interact with the user interface.

Stimulator was possibly developed by the same authors. Its purpose is to retrieve and show the status information of specific vendor ATM cash cassettes (such as currency, value and the amount of notes).

CUTLET MAKER and c0decalc

CUTLET MAKER is the main module responsible for dispensing money from the ATM. The sample analysed in this research has the MD5 checksum “fac356509a156a8f11ce69f149198108” and the compilation timestamp Sat Jul 30 20:17:08 2016 UTC.

The program is written in Delphi and was packed with VMProtect, however it is possible that multiple packers might have been used.

Different versions of the main component were found while researching this toolset. The first known submission of the first version sent to a public multiscanner service took place on June 22nd 2016. All submissions discovered by Kaspersky Lab were performed from different countries, with Ukraine being the chronological first country of origin.

Known CUTLET MAKER filenames (according to public multiscanner service information):

cm.vmp.exe
cm15.vmp.exe
cm16F.exe
cm17F.exe

The following version information was captured from the application’s window caption, followed after a “CUTLET MAKER” name. Known versions at the time of research were:

1.0
1.02
1.0 F

The assumed development period is from 2016-06-22 to 2016-08-18, according to the first submission date of the earliest version and the last submission date of the latest version at the time of writing. The application requires a special library to operate, which is part of a proprietary ATM API, controlling the cash dispenser unit.

With all the dependencies in place, the interface shows a code.


CUTLET MAKER challenge code marked with red rectangle

In order to unlock the application, a password from c0decalc generator needs to be entered, thereby answering the given challenge code. If the password is incorrect, the interface won’t react to any further input.

Each “CHECK HEAT” and “start cooking!” button corresponds to a specific ATM cash cassette. Buttons labeled “CHECK HEAT” dispense one note, “start cooking!” dispenses 50 “cutlets” with 60 notes each.  The “Stop!” button stops an ongoing “start cooking!” process. “Reset” is intended to reset the dispense process.

c0decalc a password generator for CUTLET MAKER

This tool is an unprotected command line application, written in Visual C. The purpose of this application is to generate a password for CUTLET MAKER’s graphical interface.

The compilation timestamp for this specific sample is Sun Nov 13 11:35:25 2016 UTC and was first uploaded to a public multiscanner service on December 7th 2016.


Example output for “12345678” input

Kaspersky Lab researchers checked the algorithm during the analysis and found “CUTLET MAKER” working with the passwords generated by “c0decalc”.

Stimulator

The Stimulator sample analysed in this research has the MD5 hash “27640bb7908ca7303d13d50c14ccf669”. This sample is also written in Delphi and packed the same way as “CUTLET MAKER”. The compilation timestamp is Sat Jul 16 18:34:47 2016 UTC.

The application is designed to work on specific vendor ATMs and also uses proprietary API calls.

Some additional symbols were found in the memory dump of a “Stimulator” process, pointing to an interesting part of the application. After execution and pressing the “STIMULATE ME!” button, the proprietary API function is used to fetch an ATM’s cassette status. The following cassette state results are used:

1CUR
2CUR
3CUR
4CUR
1VAL
2VAL
3VAL
4VAL
1NDV
2NDV
3NDV
4NDV
1ACT
2ACT
3ACT
4ACT

Each preceding number is mapped to an ATM cassette. The three character states are interpreted as follows:

nCUR cassette n currency (like “USD”, “RUB”) nVAL cassette n note value (like 00000005, 00000020 ) nACT cassette n counter for specific notes in a cassette (value from 0 to 3000) nNDV number of notes in the ATM for cassette n (value from 0 to 3000)


The result of “STIMULATE ME!” button press in proper environment

Each column, shown in the picture above, describes the state of one corresponding ATM cassette.

The background picture used in the application interface turns out to be quite unique, the original photo was posted on a DIY blog:

https://www.oldtownhome.com/2011/8/4/Knock-Knock-Whos-There-Merv-the-Perv/


Original picture as used in “Stimulator” application (photo by Alex Santantonio)

Conclusion

This type of malware does not affect bank customers directly, it is intended for the theft of cash from specific vendor ATMs. CUTLET MAKER and Stimulator show how criminals are using legitimate proprietary libraries and a small piece of code to dispense money from an ATM. Examples of appropriate countermeasures against such attacks include default-deny policies and device control. The first measure prevents criminals from running their own code on the ATM’s internal PC. It is likely that ATMs in these attacks were infected through physical access to the PC, which means criminals were using USB drives to install malware onto the machine. In such a case, device control software would prevent them from connecting new devices, such as USB sticks. Kaspersky Embedded Systems Security will help to extend the security level of ATMs.

Kaspersky Lab products detects this treats as Backdoor.Win32.ATMletcut, Backdoor.Win32.ATMulator, Trojan.Win32.Agent.ikmo

Release the KRACKen patches: The good, the bad, and the ugly on this WPA2 Wi-Fi drama

The Register - Anti-Virus - 17 Říjen, 2017 - 08:02
Don't panic... whoa, not so fast, Android, Linux users

WPA2 Wi-Fi users – ie, almost all of us – have had a troubling Monday with the arrival of research demonstrating a critical design flaw in the technology used to secure our wireless networks. A flaw so bad, it can be exploited by nearby miscreants to potentially snoop on people's internet connections over the air.…

Kategorie: Viry a Červi

Flash 0-day in the wild – patch now!

Sophos Naked Security - 17 Říjen, 2017 - 07:56
Patch Tuesday came and went without a Flash update, and then...

Crypto-coin miners caught toiling away in hacked cloud boxes

The Register - Anti-Virus - 17 Říjen, 2017 - 07:28
Manic miners don't even pwn you: They just use default creds admins are too lazy to change

Here's yet another reason to make sure you lock down your clutch of cloud services: cryptocurrency mining.…

Kategorie: Viry a Červi

Bitcoin miners turning up on unprotected cloud instances

The Register - Anti-Virus - 17 Říjen, 2017 - 07:28
Manic miners don't even hack you - they just use default creds admins are too lazy to change

Here's yet another reason to make sure you secure your cloud console: cryptocurrency mining.…

Kategorie: Viry a Červi

Russia tweaks Telegram with tiny fine for decryption denial

The Register - Anti-Virus - 17 Říjen, 2017 - 05:03
FSB wanted keys, messaging outfit said Nyet

Encrypted messaging app Telegram must pay 800,000 roubles for resisting Russia's FSB's demand that it help decrypt user messages.…

Kategorie: Viry a Červi

Never mind the WPA2 drama... Details emerge of TPM key cockup that hits tonnes of devices

The Register - Anti-Virus - 17 Říjen, 2017 - 00:14
About a third of all crypto modules globally generate weak, crackable RSA pairs

RSA keys produced by smartcards, security tokens, laptops, and other devices using cryptography chips made by Infineon Technologies are weak and crackable – and should be regenerated with stronger algorithms.…

Kategorie: Viry a Červi
Syndikovat obsah