Security information, event management systems essential in thwarting ATM cyberattacks
Cybersecurity company Positive Technologies has received kudos from Intel Security for detecting a serious vulnerability (described in a Dec. 1 security bulletin) in the latter company's Solidcore ATM protection product, according to a press release.
The zero-day vulnerability was found during an ATM security investigation requested by a major bank. Intel Security has issued a patch and is urgently recommending its application.
Solidcore is widely used in Windows-based ATMs to detect and block malware by means of whitelisting, and to control privileges of running processes.
The vulnerability would allow an unauthorized person to use an IOCTL processor from one of the drivers to damage OS Windows kernel memory. Exploitation of this vulnerability could lead to arbitrary code execution with system rights, escalation of user privileges from guest to system, or OS emergency shut down.
"Knowing this vulnerability exists, hackers could successfully attack banks using customized malware, with proven attacks in the wild," Alex Mathews, lead security evangelist at Positive Technologies, said in the release. "In 2014, for instance, Tyupkin ATM malware was detected, which was notable precisely for its ability to disable Solidcore in order to conceal its malicious activity. Thanks to this Trojan, attackers stole hundreds of thousands dollars from Eastern Europe ATMs unnoticed.
"The core protection for ATMs has to be regular security audits [and] the creation of secure ATM configuration policies, combined with continuous monitoring for compliance with these requirements. Such monitoring would significantly increase ATM protection from attacks exploiting simple vulnerabilities such as kiosk mode bypass and the absence of BIOS passwords.
"For real-time detection of targeted attacks, the recommendation is to use security information and event management systems to detect suspicious activities or event sequences — such as the connection of any devices to an ATM, an unexpected reboot, the repeated depression of keys, or the execution of unauthorized commands."