Bank ATM machines hacked!

atm-hacker1

Using a “low risk” trojan software, a group of hackers (believed to be from South America) managed to cart away about RM3 million (about USD $1million) from various ATM machines in Malaysia.  ($1.00 USD ~ RM 3.3) .

Below are the photos of the suspects released by the Bukit Aman Police in Malaysia:

atm-hacker1 atm-hacker2

To date, the ATM machines in the following locations have been compromised by this trojan/virus called “ulssm.exe”

Selangor & Kuala Lumpur

  • ATM in USJ (Subang Jaya):  Lost: RM 265,000
  • ATM in Section 14, PJ:  Lost RM 395,850
  • ATM in Dataran Sunway, PJ: Lost 221,160
  • ATM in Kota Damansara, PJ: Lost 285,700
  • ATM in Shah Alam: Lost 116,000
  • ATM in Klang: Lost RM 150,000
  • ATM in Jalan Imbi: RM 92,900
  • ATM in Jln Yoong Shook Lin: RM 303,000
  • ATM in Puchong: Lost RM ??
  • ATM in Kajang: Lost RM ??
  • ATM in Kelana Jaya: Lost RM ??

Malacca

  • ATM in Malacca Raya: Lost RM ??
  • ATM in Bandar Hilir: Lost RM 232,770

Johor

  • ATM in Batu Pahat: Lost RM 265,000
  • ATM in Kluang: Lost RM 288,200
  • ATM in Johor Baru: Lost RM ??
  • ATM in Taman Molek: Lost RM ??

The Commercial Crime Investigation Department in Bukit Aman (Malaysia’s elite police force) said the suspects managed to opened the top panel of the ATM machines without using a “common key” and inserted a malicious CD to infect the machine with the “Ulssm.exe” virus – which caused the ATM system (running on Windows XP) to reboot.

The infected ATM system after the reboot will “obey” the commands to dispense all the available cash in the machine issued on the keypad by the hackers. This is the first “high-tech” method used by robbers to clean out ATM machines.

BUT is it really “high-tech” ?  Perhaps it is compared to previous reported methods (e.g. trying to cart away the entire machine with bulldozers, pick-up trucks or trying to blast the machine open with a bomb).

In reality, I would consider it “low-tech” – because:

  1. These ATM machines were running on outdated, un-supported Windows XP which were discontinued early this year. Microsoft has issued ample warning about the XP’s end of life since last year.
  2. What were the banks thinking/doing – running a critical service on outdated, un-supported Operating System? And if they must run Windows XP, why wasn’t there an AntiVirus software installed? That is the first thing any sane person would do if they are running Windows Operating System.
  3. The Trojan/Virus is considered “low risk” by Symantec. See the Technical details below.

TECHNICAL DETAILS

Backdoor.Padpin is a Trojan horse that targets automated teller machines (ATM). The Trojan enables an attacker to use the ATM PIN pad to submit commands to the Trojan.

Once executed, the Trojan creates the following file, which can be placed in any folder on the compromised computer:
[PATH TO THREAT]\ulssm.exe

The Trojan then creates the following registry entries so that it runs every time Windows starts:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\”ulssm.exe” = “[PATH TO THREAT]\ulssm.exe”
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\”ulssm.exe” = “[PATH TO THREAT]\ulssm.exe”

The Trojan can delete itself if it fails to gain control of the PIN pad or dispenser.  The Trojan runs in the background until a specific code is entered on the ATM’s PIN pad.

The Trojan then opens a back door on the compromised computer, allowing an attacker to perform the following actions:

  • Dispense money from the compromised ATM
  • Select which cassette the ATM dispenses money from
  • Display cassette information such as bills left, denomination and total amount per cassette
  • Temporarily disable the local network to avoid triggering alarms when withdrawing money
  • Extend the duration of the session in order to continue stealing money
  • Delete the Trojan from the compromised ATM

Ref: Symantec Security Response

Fortunately, non of the Banks’ customer accounts have been compromised. This attack vector only targets the ATM Host machine (running Windows XP) to spit out available cash in the machines.

Maybe, it is high time the Banking Industry consider the more secure Linux for their ATM machines?  :D

Bash Vulnerability Discovered

This is quite serious as it allows the attacker to run any arbitary code as bash sub-shell. This bash vulnerability(discovered by Stephane Chazelas)  is related to how the environment variables are processed, i.e. trailing code in function definition was executed, independent of the variable name.

(ref: http://seclists.org/oss-sec/2014/q3/649 )

This vulnerability is can be easily exploited by skilled hackers over the network in common configurations/setups. The GNU Bash upstream maintainer, Chet Ramey has already released the official upstream patches.

If you’re running CentOS or another RHEL derivatives, please update Bash immediately:

# yum update bash

If you’re running Ubuntu, you can run this command:

# apt-get upgrade bash

If your host or webserver has some kind of Control Panel (e.g. Cpanel or Plesk) that has auto-update enabled, it may have already updated Bash for you when the cronjob runs.

After updating Bash, please verify that you are no longer vulnerable by running the following command on the command shell/bash:

export badvar='() { :;}; echo vulnerable’ && bash -c “echo This is a sub process in ‘$BASH_VERSION'”

If you have patched up BASH, then you will see something like the following on your shell:

bash: warning: badvar: ignoring function definition attempt
bash: error importing function definition for `badvar’
This is a sub process in 4.1.2(1)-release

BUT if your BASH hasn’t been updated yet, then you will see the following:

vulnerable
This is a sub process in 4.1.2(1)-release

 

The word “vulnerable” is a dead giveaway that your version of Bash is vulnerable to this exploit. Update immediately!

Slider Revolution Plugin Vulnerability

Sometimes, when you’re cruising along nicely in life, something bad had to happen – like a low-down, good for nothing hacker who discovered a critical vulnerability in the Slider Revolution Plugin and used it to wipe out my entire blog :-(

Yeah, it was bad. The entire WordPress blog got wiped out. I guess that hacker had a bad day and decided to take out his frustration on my blog. This vulnerability in the plugin allows an attacker to download the WordPress’ configuration file – “wp-config.php”  – and view the database connection parameters (username, password and dbserver name).

The latest version of t his popular plugin is 4.6.0 (released on 25th August 2014). Versions 4.1.4 and earlier are vulnerable to hackers. If you’ve purchased this plugin from the Envato marketplace, please contact the vendor and get an update immediately.

It seems that the developers of this plugin, “ThemePunch” released version 4.2 which mentioned that it addressed a ‘security’ issue in the changelog, but did not disclose the magnitude of the severity of the security. As a result of that, many other theme authors who made use of the slider code/plugin did not pay much attention to it and many did not update their code base.

Sadly, it was the low-life worms in the underground (i.e. crackers and hackers) who took this information about the vulnerability seriously and began to circulate it on various underground forums. This went on for several months and on 1st September, someone posted a proof-of-concept of the exploit on a public forum. That’s when all-hell broke loose and many script kiddies took advantage of the exposed vulnerability.

Note: Even if you don’t have this plugin installed, but you’re using a paid/commercial theme, you may want to check with the theme author and ask them if the theme is using an earlier version of this popular plugin. There are many commercial themes that uses the Slider Revolution plugin/code.

In fact, most of the WordPress sites that got hit was because of the vulnerable slider code in the theme files. Even though the developer of this plugin has updated the code and fixed the security hole, many wordpress sites out there are still vulnerable because it all depends on how the theme developers handle the plugin updates.

How to Check If Your WordPress site is vulnerable:

Type this URL into your browser:

http://YOURSITE.COM/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php

 

*note: replace “YOURSITE.COM” with your domain/url.

If you can view the contents of your wp-config file – then you’re vulnerable. Switch theme immediately and contact your theme vendor. If you see a “0” – then you’re safe.