Pierluigi Paganini
March 26, 2014
What will happen after that Microsoft will stop supporting the Windows XP operating system on 8th April? The question was approached by numerous security experts on different media.
The impact could be very serious for all those industries were XP OS is largely adopted, for example the banking sector. Nearly 95% of the world’s 3 million ATM machines run on Microsoft XP OS, the interruption for the support of Windows XP raises serious security issues.
After April 8th, Windows XP Service Pack 3 customers will no longer receive new security updates or any other form of support, this means that any new security flaw discovered in the Windows OS will not be addressed fixed by Microsoft. Attackers will have the advantage over victims who choose to continue to run Windows XP, their systems will be vulnerable and a growing number of exploits will be available on the underground market to compromise Windows XP systems.
To better understand the risks related to running a phase-out OS I suggest the reading of a post published by Symantec security firm titled “Texting ATMs for Cash Shows Cybercriminals’ Increasing Sophistication”, it shows how hackers can exploit a weakness in a Windows XP based ATMs that allow them to withdraw with a simple SMS.
The blog post refers to a variant of Ploutus malware detected in 2013, it was installed on ATMs in Mexico and is designed to compromise a certain type of standalone ATM with just the text messages.
“The new variant was identified as Backdoor.Ploutus.B (referred to as Ploutus throughout this blog). What was interesting about this variant of Ploutus was that it allowed cybercriminals to simply send an SMS to the compromised ATM, then walk up and collect the dispensed cash. It may seem incredible, but this technique is being used in a number of places across the world at this time.”
The attack scheme is very simple, the bad actor just needs to connect the ATM to a mobile phone via USB tethering and then initiate a shared Internet connection, which then can be used to send specific SMS commands to the phone attached or hardwired inside the ATM.
“Since the phone is connected to the ATM through the USB port, the phone also draws power from the connection, which charges the phone battery. As a result, the phone will remain powered up indefinitely.”
The attack scheme
cmd.exe /c PLOUTOS.EXE 5449610000583686=2836957412536985 “In this version of Ploutus, the mule never sees the 16 digits, giving the master criminal added security and the ability to centrally control cash withdrawals. The code is active for 24 hours.” reports Symantec
Malware analysts have discovered a more sophisticated version of the PLOUTOS malware, some detected instances are able to steal customer card data including the PIN, researchers also confirmed the existence of a version able to implement a man-in-the-middle attack.
PLOUTOS is now spreading to different countries all over the world, Symantec experts highlighted that a similar attack is possible on ATMs running on Windows XP, which lack of proper defense measures protecting against these types of attacks, like such as encrypted hard-drives. Physical security of the computer inside the ATMs is considered another critical issue, especially for remote and isolated locations, because usually generally the computer generally is not locked in a safe. Following the suggestions provided by Symantec experts to improve the security of the ATMs:
[adrotate banner=”9″]
(Security Affairs – ATMs, XP)
