7 sins of ATM protection against logical attacks Timur Yunusov - - PowerPoint PPT Presentation

▶

Sep 30, 2023 191 likes •653 views

7 sins of ATM protection against logical attacks Timur Yunusov Senior expert ptsecurity.com whoami Positive Technologies (from 2009) Application security researcher (from 2009) Banking systems

SLIDE 1

Заголовок

ptsecurity.com

7 sins of ATM

protection against logical attacks

Timur Yunusov

Senior expert

SLIDE 2

Заголовок whoami

Positive Technologies (from 2009)
Application security researcher (from 2009)
Banking systems security senior expert (from 2012)
Big fan of #nullcon
Always in search/research ;)

SLIDE 3

Заголовок whoami

Positive Technologies (from 2009)
Application security researcher (from 2009)
Banking systems security senior expert (from 2012)
Big fan of #nullcon
Always in search/research ;)

10+ ATMs for the last year

SLIDE 4

Заголовок ATM security assessment

SLIDE 5

Заголовок 7 sins

Kiosk bypass techniques
Privilege escalation techniques
Application control software bypass
Network physical layer
Device management
Booting process
Logical vulnerabilities
OS / Software vulns /

Kiosk mode bypass

Network attacks
Hardware attacks

Hardware Network

SLIDE 6

Заголовок Blackbox

Blackbox is dead

SLIDE 7

Заголовок Blackbox

Blackbox is dead

SLIDE 8

Заголовок Blackbox

Blackbox is (almost) dead (for researchers)

Have strong crypto btw dispenser and OS? BB is not possible BB is possible Yes

SLIDE 9

Заголовок Kiosk mode bypass

Kiosk mode bypass Windows XP/7

SLIDE 10

Заголовок Kiosk mode bypass

Safe mode
Hotkeys
Windows Plug&Play
Race condition

SLIDE 11

Заголовок Safe mode

F8 + Safe mode with command line
DS restore mode
AC/DC fun

SLIDE 12

Заголовок Hotkeys

Win+R

SLIDE 13

Заголовок Hotkeys

Win+R
Alt+Tab
Alt+F4
Alt+Shift+ESC
F1-F12
Shift x5 (Windows 7 only)
Win+(etc)

http://www.techrepublic.com/blog/windows-and-office/the- complete-list-of-windows-logo-keyboard-shortcuts/

SLIDE 14

Заголовок AlwaysOnTop

This ATM is Out Of Service, Sorry for inconvenience

SLIDE 15

Заголовок AlwaysOnTop

Disabling mouse icon
AlwaysOnTop

This ATM is Out Of Service, Sorry for inconvenience

SLIDE 16

Заголовок P&P

SLIDE 17

Заголовок P&P

SLIDE 18

Заголовок P&P video/screenshot

SLIDE 19

Заголовок End of the story

SLIDE 20

Заголовок Privilege escalation techniques

How exactly we extract money?

SLIDE 21

Заголовок Privilege escalation techniques

FS restrictions
Local Security Policy restrictions

SLIDE 22

Заголовок Privilege escalation techniques

Arbitrary command execute
XFS API
Command execute
priv escalation
Write files/registry
modify sec configs

SLIDE 23

Заголовок Privilege escalation techniques

Arbitrary command execute
XFS API
Command execute
priv escalation
Write files/registry
modify sec configs
Read files
***

SLIDE 24

Заголовок App control software bypass

Story so far…

https://evi1cg.me/archives/AppLocker_Bypass_Techniques.html
https://cansecwest.com/slides/2016/CSW2016_Freingruber_Bypassi

ng_Application_Whitelisting.pdf

SLIDE 25

Заголовок Security software bypass

McAfee Solidcore - https://www.ptsecurity.com/ww-en/about/news/131496/
MS Applocker - http://www.blackhillsinfosec.com/?p=5257 – State of Art!
etc (6 total different products) – stay tuned!
0days (5 total, in process of fixing): network, local, logical
Misconfiguration
Whitelist Memory Execution: IE, rundll32, powershell, java, etc

SLIDE 26

Заголовок Security software bypass

SLIDE 27

Заголовок Network

+ Firewall

VPN TLS MAC

OS services
Software services (Solidcore, UPDD, etc)
Processing
Track2
Processing
Track2
Processing

SLIDE 28

Заголовок Network vulns

VPN disabling
Logical vulns part
TLS disabling
MAC disabling
Files/registry manipulations

SLIDE 29

Заголовок Network/Hardware layer

3G industrial modem
Long story short

http://blog.ptsecurity.com/2015/12/critical- vulnerabilities-in-3g4g-modems.html

Security measures
VPN channel
Private APN
Result
ATM network infection
Processing access

SLIDE 30

Заголовок Network/Hardware layer

Access to *:80
Auth bypass
Physical access
Proper VPN protocols(((

SLIDE 31

Заголовок Device mgmt

How to do all hacking stuff much easier?

SLIDE 32

Заголовок Device mgmt

Keyboard/mouse
Teensy
Network card
fw bypass
plug&play
USB drive
local access to Exe file content
plug&play
MS13-081

SLIDE 33

Заголовок Booting process

The easiest way is…

SLIDE 34

Заголовок Booting process

BIOS pwd
Network load
Safe mode
Physical access
OS access
Same passwords story
Bootkit
Software skimming

SLIDE 35

Заголовок Logical vulns

How it happened?

SLIDE 36

Заголовок Logical vulns

Security tools runs from regedit/autorun
Shift x5
Win+U
Security race condition
Hash(loooooooong file)
exploit.exe at the same time
Ctrl+C

SLIDE 37

Заголовок Logical vulns

SLIDE 38

Заголовок Logical vulns

VPN disabling

SLIDE 39

Заголовок Logical vulns

FS access is strictly prohibited

SLIDE 40

Заголовок Logical vulns

FTP is strictly prohibited!

SLIDE 41

Заголовок Summary

Windows 7 SP1 ATM Windows XP SP3 ATM

Kiosk bypass Hotkeys/Safe mode KeyboardDisabler bypass App control bypass 0day/Trusted soft Untrusted booting Privilege escalation 0day/MS15-051 Untrusted booting VPN/TLS disabling Misconfiguration/FS Untrusted booting Social Engineering Misconfiguration/FS

Untrusted boot

BIOS accessing from OS No password Network attacks MAC/TLS/VPN/App service MAC/TLS/VPN/OS services

SLIDE 42

Заголовок How all that happens?

Security through obscurity is not an option!
You should know your landscape and your threat model
Use compliance management tools instead of paper
In case of impossibility of fixing vulns, use

mitigation measures like SIEM

SLIDE 43

Заголовок Greetz

Anon guy ;-)
Positive Technologies researchers teams:
ICS/SCADA
Reverse Engineering
Banking security

SLIDE 44

Заголовок Contacts

http://uk.linkedin.com/in/tyunusov tyunusov@ptsecurity.com a66at

SLIDE 45

Заголовок

Thank You!

ptsecurity.com