Diebold Nixdorf warns of a wave of ATM black box attacks across Europe

ATM maker Diebold Nixdorf is warning banks a new ATM black box attack technique that was recently employed in cyber thefts in Europe.

Black box attacks are a type of jackpotting attack aimed at forcing an ATM to dispense the cash by sending a command through a “black box” device.

In this attack, a black box device, such as a mobile device or a Raspberry, is physically connected to the ATM and is used by the attackers to send commands to the machine.

The ATM black box attacks are quite popular in the cybercrime underground and several threat actors offer the hardware equipment and malware that could be used to compromise the ATMs.

This week, Diebold Nixdorf, a leading manufacturer of ATM machines, has issued an alert to customers warning all banks of a new variant of ATM black box or jackpotting attacks.

The alert was issued after the Agenta Bank in Belgium was forced to shut down 143 ATMs after a jackpotting attack.

All the compromised machines were Diebold Nixdorf ProCash 2050xe devices. This is the first time that Belgian authorities observe this criminal practice in the country.

According to a security alert issued by Diebold Nixdorf, and obtained by ZDNet, the new variation of black box attacks has been used in certain countries across Europe.

“In the recent incidents, attackers are focusing on outdoor systems and are destroying parts of the fascia in order to gain physical access to the head compartment.” reads the alert issued by the vendor. “Next, the USB cable between the CMD-V4 dispenser and the special electronics, or the cable between special electronics and the ATM PC, was unplugged. This cable is connected to the black box of the attacker in order to send illegitimate dispense commands. Some incidents indicate that the black box contains individual parts of the software stack of the attacked ATM.”

The experts are still investigating how these portions of the stack code were obtained by the crooks, they speculated that attackers could have had offline access to an unencrypted hard disc.

The alert includes recommendations for countermeasures, such as:

Implement protection mechanisms for cash modules;
Implement hardening of the software stack;
Limit physical access to the ATM

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, black box)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.