In 2014 and 2015 there were the Carbanak attacks, which netted cyber criminals upwards of $1 billion from global financial institutions. In 2016, the Buhtrap gang collected $2.6 million from bank-owned ATMs in Taiwan in just two days and that resulted in over $300 million in losses. The next crime ring may be different, but the tactics and goals of the attack will likely be similar. By understanding tactics used in previous attacks, financial institutions can take proactive steps to break the attack chain.
As reported, attackers linked to the Buhtrap gang gained access to banks throughout Taiwan and Thailand by using phishing emails that appeared to be from ATM vendors and other banks. When the bank employees opened these emails – and their attachments – the attackers got in.
In the case of First Commercial Bank of Taiwan, the attackers first broke in by compromising a user in the London office via phishing, and then they used exploited insider access to move freely through the network until they gained the level of privileged access needed to issue a malicious software update to the bank’s ATMs. That planted malware later enabled attackers to dispense $2.6 million from infected ATMs in two days.
Based on what is currently known about these recent attacks, as well as what we know about the previous Carbanak attacks, here are five steps financial institutions can take to reduce the risk of becoming the next victim:
- If it’s End of Support, it’s time for an upgrade. Windows XP has been the backbone of ATMs for a decade, and it reached End of Support (EOS) in April 2014. This means there are no more security updates. Yet, a year after EOS, 75 percent of ATMs still ran Windows XP. Make the criminals work for their paycheck. A cyber attack is far more costly than an upgrade.
- Patch, patch, patch. Whether it’s your ATMs, financial systems, IT infrastructure or endpoints, don’t give attackers an open invitation into your network.
- Default-deny can be your friend. Though the malware planted on First Commercial Bank’s ATMs was issued through a software update, not all attacks are this sophisticated or coordinated. Many ATM malware attacks are executed via physical access and can often be blocked with a “default-deny” approach to application control.
- Lock down privileged accounts that enable administrative access. Determine who has access to your software distribution systems. Identify which employees and vendors are authorized to update and administer ATMs and financial systems. These users – and their accounts – are prime targets for highly motivated cyber criminals.
- Block and contain the attack as early as possible. There are a range of security controls that can help you to proactively prevent cyber criminals from gaining access to financial systems, ATMs, software distribution systems and other critical systems. Control applications on endpoints, remove local admin rights from standard users, and lock down privileged accounts throughout your environment. These three steps can help you limit an attacker’s ability to establish a foothold inside your network and prevent lateral movement if they’re able to get inside.