Date post: | 11-Aug-2015 |
Category: |
Software |
Upload: | alexandru-gherman |
View: | 196 times |
Download: | 0 times |
ATM Compromise with or without Whitelisting
Agenda
1. whoami
2. Application Whitelisting
3. Threat -‐ ATM Jackpotting malware
4. Software mitigations have improved but we still see
weaknesses
5. Recommendations
23/06/15 2 © FortConsult
whoami Alexandru Gherman
Head of Research | Principal Security Consultant
FortConsult Denmark | NCC Group
Reverse engineering * Firmware * UEFI * Finding Bugs * Malware analysis
@alexgherman
23/06/15 © NCC Group 3
What we do @FortConsult Ø Reverse engineering Ø Penetration Testing Ø ATM security testing (Physical and Software attacks) Ø Security assessments Ø Audits * Source Code Review * Static and dynamic analysis Ø Hardware security testing -‐ ATM controllers, CCTV, Bluetooth,
Smart TV, Physical Security and other smart devices Ø Malware analysis Ø Threat analysis and research * Incident Response * Forensics
23/06/15 © NCC Group 4
Application Whitelisting
23/06/15 5 © FortConsult
♦ Appropriate for ATM devices
♦ It blocks each load/execute attempt (hooks into Windows APIs such as LoadLibrary, WinExec, CreateProcess)
♦ Unique way to secure against unauthorized software
♦ Reduces the risk but does not make the solution infallible to
buffer overflow type of attacks
However there is still a risk
23/06/15 6 © FortConsult
Only one of these has to be vulnerable … So that a system could be compromised!
Why? Still buffer overflows and other development errors…
23/06/15 7 © FortConsult
Still vulnerable on the network
23/06/15 8 © FortConsult
Tyupkin Malware – Backdoor.MSIL.Tyupkin
♦ What is Tyupkin ?
♦ Stage 1 § Physical access to the ATM
§ Insert bootable CD
§ Once the ATM is rebooted the infected ATM is under control
♦ Stage 2 § Infinite loop waiting for a command
§ Only accepts commands at specific times
23/06/15 © FortConsult 9
Tyupkin Malware – Backdoor.MSIL.Tyupkin
23/06/15 © FortConsult 10
23/06/15 © NCC Group 11
Tyupkin Malware – Backdoor.MSIL.Tyupkin
23/06/15 © NCC Group 12
23/06/15 13 © FortConsult
Bypassing Whitelisting can lead to jackpotting
Ø FortConsult performed a lot of research and developed own XFS-‐compliant code
Ø Although we worked with ATM emulated environments, what we developed, seems to work on any XFS compliant ATM!
Ø Administrative privilege is not necessarily required to jackpot
Ø Let us try it with your setup ? J
23/06/15 14 © FortConsult
All this can happen while offline and without network connectivity!
Without being monitored…
On a priority scale, you don't need O-‐day detection, you need compromise detection first. Knowing how you were compromised is less important than
knowing that you were.
23/06/15 © NCC Group 15
The path to the risk ♦ In every application there are design/development Errors
♦ It takes only “whitelisted” vulnerable applications and other underlying components to compromise a system
♦ “Buffer overflow detections” don’t work always as advertised
♦ Exploitation § Develop exploit
§ Control EIP
§ Gain arbitrary code execution
23/06/15 16 © FortConsult
23/06/15 17 © FortConsult
Unlike Tyupkin’s Physical Access, we used a buffer overflow in a Whitelisted Application!
An attacker would always look for a door that allows a bypass!
Software Development ♦ Software mitigations introduced in Windows Vista/7/8 are good, but they
are not invincible
23/06/15 18 © FortConsult
ASLR in Windows!
Demo time!
23/06/15 19 © FortConsult
Recommendations ? Probably not Uninstall/Disable. It’s still one of the Only!
If not, probably the best right now!
Ø Thorough application inventory review of all the applications installed on the ATM Ø Internet Explorer Ø Java/Flash Runtime engines Ø Image renderers, Virtual Browsers Ø Communications and message parsers
Ø ATM security test (Blackbox/Greybox) Ø Physical attacks Ø Network attacks Ø Application attacks
Ø Source Code review of the custom applications installed 23/06/15 20 © FortConsult
Recommendations ? Probably not Uninstall/Disable. It’s still one of the Only!
If not, probably the best right now!
Ø Build a Lockdown Suite of Security Controls formed out of a corroboration of Ø Windows Security Features (through use of ASLR; DEP, Stack Canaries)
Ø Disk Encryption Ø Whitelisting
Ø And other security controls which we usually see Unleveraged!
Ø We can help you Here!
23/06/15 21 © FortConsult
Europe Manchester -‐ Head Office
Amsterdam
Cheltenham
Copenhagen
Edinburgh
Leatherhead
London
Luxembourg
Milton Keynes
Munich
Zurich
Sweden
Vilnius
Portugal
North America
Atlanta
Austin
Chicago
New York
San Francisco
Seattle
Sunnyvale
Australia
Sydney
Russia
Moscow
A very special thank you to the expert team at KAL ATM Software, they are one of the only companies worldwide who support advanced testing and
research.
23/06/15 © NCC Group 23
23/06/15 © NCC Group 24