Hackers Steal Millions In Cash From ATMs, Using Tyupkin Malware

Attackers add in fail safes to prevent innocents from triggering attack and money mules from going rogue.

Attackers are infecting ATMs in Asia, Europe, and Latin America with malware, and walking off with stacks of cash, Kaspersky has found. Using the malware, called Tyupkin, and a team of money mules, the attackers have stolen what amounts to millions of dollars in cash.

“Over the last few years, we have observed a major upswing in ATM attacks using skimming devices and malicious software," said Vicente Diaz, principal security researcher at Kaspersky Lab, in a statement. "Now we are seeing the natural evolution of this threat with cyber-criminals moving up the chain and targeting financial institutions directly. This is done by infecting ATMs themselves or launching direct APT-style attacks against banks. The Tyupkin malware is an example of the attackers taking advantage of weaknesses in the ATM infrastructure.”

The good news is that the infection and theft require physical access to the ATM. The bad news is that it's easy to come by, since ATMs are intended to be physically accessible by the general public 24/7. That said, the attackers only went after machines that did not have security alarms installed.

Once access is gained, the attackers reboot the machine using a bootable CD that installs Tyupkin. The malware then runs in a loop, waiting for a command. It only accepts commands on Sunday and Monday nights, when the mules' suspicious withdrawals are less likely to be noticed.

During those hours, a unique key, based on a random set of numbers displayed by the ATM machine, is generated for each session. Video evidence shows that the mule collecting the cash calls another gang member on the phone and gives them that random combination. The person on the other side of the call then runs those digits through an algorithm to generate the session key, and gives the key to the mule. Once the key is entered, the machine displays the amount of cash located in each cassette, and dispenses 40 banknotes from whichever cassette the attacker chooses.

The process prevents both regular customers from accidentally triggering the attack and money mules from trying to steal the money themselves without the rest of the gang knowing about it.

Watch video at: http://www.darkreading.com/hackers-steal-millions-in-cash-from-atms-using-tyupkin-malware/d/d-id/1316421?_mc=sm_dr

Google Indonesia was Hacked

As reported today few hours back Google Indonesia was Hacked and left defaced page for hours. The technology gaint Google Indonesia domain which is www.google.co.id was hacked and left defaced for several hours in morning, The very famous Pakistani hackers group “Team Madleets” claimed responsibility for the hack.

Google Indonesia was hijacked using a hacking method known as DNS Spoofing ( DNS Cache Poisoning ) . Pakistani hacker’s group “Team Madleets” are known for such attacks targeting big websites like Google, Last year the same method was used to hijack Google Malasiya domian.

What is DNS Poisoning?
In short, DNS spoofing or DNS cache poisoning is a hacking attack, whereby data is introduced into a Domain Name System (DNS) name server’s cache database, causing the name server to return an incorrect IP address, diverting traffic to another website.

Normally, a networked computer uses a DNS server provided by an Internet service provider (ISP). which are deployed to improve resolution response performance by caching previously obtained query results

Attacker spoofs the IP address DNS entries for a target website on a given DNS server, replacing it with the IP address of a server which he controls, thus redirecting the whole traffic to his deface page. It is believed that the DNS spoofing led the Google Indonesian users to another IP which carried the Madleets defaced page.

Google Indonesia Website was left defaced for several hours
While it is not clear for how long the Google Indonesia website was left defaced, but reports suggest that the attack continued for hours, Team MaDLeeTs also changed the earlier deface page planted after 2 hours with a new one.

BadUSB Malware Returns

Back in July, a massive security hole was discovered ” BadUSB ” that can gave hackers the ability to hijack billions of USB devices, from keyboards, printers to USB drives. Because of the severity of the issue, the researchers who discovered the security flaw didn’t publish their BadUSB exploit code.

However, after that two other hackers have worked out on how to exploit BadUSB and released a bunch of hacking tools that can be used to convert USB drive into silent malware installer. Also they’ve published their BadUSB Malware source code on open source code hosting website Github for public. Device makers are pressured to actually fix the security flaw before millions of users have their USB devices exploited, which is a big problem as there’s no easy security fix for BadUSB Malware.

What is BadUSB ?
BadUSB Malware Released - Infect millions of USB DrivesIn short, every USB drives has a microcontroller in it which is a small chip that acts as an interface between the device ( keyboard, or flash drive) and the host (PC). This small chip often has firmware that can be reprogrammed to do notorious things, such as logging your keystrokes and infect your Personal computer with malware, or something much worse. BadUSB is really very dangerous because of one factor which is “It is Undetectable”, even if scanned by Antivirus program.

The security researchers who originally discovered the BadUSB are Karsten Nohl and his friends at SR Labs announced that the BadUSB bug exists in July, and shared more details with device makers. Here you can watch the video of their presentation. The German security researchers did not publish their source code because they thought it would be dangerous and too hard to patch.

We really hope that releasing this will push device manufactures to insist on signed firmware updates, and that USB Manufacturer Phison will add extra support for signed updates to all of the controllers it sells,” Caudill said in his Blog. “Phison electronics isn’t the only player, though they are the most common I’d love to see them take the lead in improving security for these devices.

Now, however two security researchers Adam Caudill and Brandon Wilson at Derbycon in Kentucky have discovered the same BadUSB bug and, more importantly, they’ve published their proof-of-concept. They has capability to spread itself by hiding in the firmware meant to control the ways in which USB drives connect to computers.

If you know what you’re doing, you can grab the source code and start exploiting USB devices straight away. The hack utilizes the security flaw in the USB that allows an attacker to write a self-replicating worm that key logs passwords and other sensitive data stands to make millions of dollars.

Source Code is Available On Internet for Free
The two security researchers justify their release in Derbycon Hacker Conference in Louisville last week, both were able to reverse engineer the USB firmware & infect it with their own malicious code & hijack the associated device. They also underlined the danger of the BadUSB hack by going in-depth of the source code.

The two security researchers replicated the emulated keyboard attack, and also showed how to create a hidden partition on thumb drives to defeat forensic tools and how to bypass the password for protected partitions on some USB drives that provide such a feature.

BadUSB vulnerability presents in only one Taiwanese electronics company which is Phison electronics. But the Phison USB device can infect any device they are plugged into. The Taiwanese USB Manufacturer has not yet revealed for whom it manufactures USB drives.

BadUSB Vulnerability is Undetectable & Unpatchable
The Vulnerability flaw in Phison USB basically modifies the firmware of USB devices, which can be done from inside the operating system easily and hides the malware in USB devices in a way that it become almost impossible to detect it, even by Antiviruses. The security flaw goes even more worst when complete formatting or deleting the contents of a USB device wouldn’t vanish the malicious code, as it is embed in the firmware.

According to Wired, this BadUSB vulnerability is practically unpatchable because it exploits the very way that USB device is designed. If Once infected, each USB drive will infect anything it’s connected to.

Impact of BadUSB Vulnerability
Once the device is compromised, the USB devices can reportedly:

1). Log keystrokes
2). alter folders & files
3). infect other devices & systems
4). spoofs a network card to change the computer’s DNS setting
5). Install malware & Control Keyboard

Protection Against the BadUSB Attack
For the time being, the best mitigation against BadUSB vulnerability and other similar exploits is good security practices. Always Keep your software updated & never open any files which you don’t recognize, and don’t plug any devices into your computer unless you know where they’ve been.