Diebold Nixdorf warns of a wave of ATM black box attacks across Europe

ATM maker Diebold Nixdorf is warning banks a new ATM black box attack technique that was recently employed in cyber thefts in Europe.

Black box attacks are a type of jackpotting attack aimed at forcing an ATM to dispense the cash by sending a command through a “black box” device.

In this attack, a black box device, such as a mobile device or a Raspberry, is physically connected to the ATM and is used by the attackers to send commands to the machine.

The ATM black box attacks are quite popular in the cybercrime underground and several threat actors offer the hardware equipment and malware that could be used to compromise the ATMs.

This week, Diebold Nixdorf, a leading manufacturer of ATM machines, has issued an alert to customers warning all banks of a new variant of ATM black box or jackpotting attacks.

The alert was issued after the Agenta Bank in Belgium was forced to shut down 143 ATMs after a jackpotting attack.

All the compromised machines were Diebold Nixdorf ProCash 2050xe devices. This is the first time that Belgian authorities observe this criminal practice in the country.

According to a security alert issued by Diebold Nixdorf, and obtained by ZDNet, the new variation of black box attacks has been used in certain countries across Europe.

“In the recent incidents, attackers are focusing on outdoor systems and are destroying parts of the fascia in order to gain physical access to the head compartment.” reads the alert issued by the vendor. “Next, the USB cable between the CMD-V4 dispenser and the special electronics, or the cable between special electronics and the ATM PC, was unplugged. This cable is connected to the black box of the attacker in order to send illegitimate dispense commands. Some incidents indicate that the black box contains individual parts of the software stack of the attacked ATM.”

The experts are still investigating how these portions of the stack code were obtained by the crooks, they speculated that attackers could have had offline access to an unencrypted hard disc.

The alert includes recommendations for countermeasures, such as:

• Implement protection mechanisms for cash modules;
• Implement hardening of the software stack;
• Limit physical access to the ATM

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, black box)

[adrotate banner=”5″]

[adrotate banner=”13″]