Some of you may have read about a piece of malicious software (malware) called Tyupkin being used for illegally withdrawing funds from ATMs (Automated Teller Machines). If you haven’t then have a look at the Karpesky Lab and the Interpol article.
The timing of the article seemed to coincide well with reports from authorities in Malaysia about criminals using malware to withdraw a lot of money from 18 ATMs around the country.
Malware on other than stock PCs or laptops is definitely interesting to discuss. While there is a lot of discussion about the malware itself, for example, ‘payload’ (what it does) or how it works, it is important also to understand how it gets installed on the ATM in the first place. Your typical malware-of-the-day relies a lot of exploiting client side vulnerabilities (that is, drive-by-downloads) or authentication weaknesses in Internet facing services. But what about ATMs ? How do they got infected to begin with?
Fortunately one doesn’t have to look that far. Here’s what Karspersky’s Lab mentioned in their write-up (emphasis is mine):
“The criminals work in two stages. First, they gain physical access to the ATMs and insert a bootable CD to install the Tyupkin malware. After they reboot the system, the infected ATM is now under their control and the malware runs in an infinite loop waiting for a command”
In the news article about the incident in Malaysia the Royal Malaysia Police were quoted as saying something similar about the technique:
“The suspects opened the ATM’s top panel and inserted a disc to infect the machine with the virus. Once the disc was ejected, they would close the panel and their accomplices would withdraw the money by typing automatically generated codes, usually sent to vendors through their mobile phone”.
Managing Physical Security is part of Cyber Security
I am sure there are best practices and guidelines from Central Banks available for protecting ATMs as attacks against them are not uncommon (see card-skimming or fork-lifting and my favorite, sap-ping).
But I want to bring your attention to the importance of physical security. Physical security of IT assets is critical to achieving your cyber security goals. A threat actor who can access IT assets such as laptops or servers can potentially commit theft or breach security, which in turn can affect the confidentiality, availability and integrity of information systems. That is why, for example, we control physical access to the the office or server rooms complete with CCTVs, password protect our screen-savers and BIOS, and use disk-encryption on portable devices.
Again, this is nothing new. Many of the IT Security Management Standards or Frameworks such as ISO/IEC 27001:2013, the ISF Standard of Good Practice for Information Security and NIST’s CyberSecurity Framework cover the need to manage physical access and apply relevant controls to protect your IT assets.
The malware-in-the-ATM attack is a good reminder that the need for physical security is just as important. But if that will not make you stop and think about physical security, perhaps this research paper will.
The views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog.