Monthly Archives: January 2018

  • 0

As If Discovery Were Not Difficult Enough, Now This

Tags :

Category : Uncategorized

“We sometimes advocate for a high regulation, low litigation approach to product liability, and that approach particularly suits the protection of private information. Healthcare providers take patient privacy seriously, and when pulled involuntarily into litigation, the rules they need to follow ought to be clear. Connecticut’s new tort does not advance that cause.”

  • 0

First ‘Jackpotting’ Attacks Hit U.S. ATMs

ATM “jackpotting” — a sophisticated crime in which thieves install malicious software and/or hardware at ATMs that forces the machines to spit out huge volumes of cash on demand — has long been a threat for banks in Europe and Asia, yet these attacks somehow have eluded U.S. ATM operators. But all that changed this week after the U.S. Secret Service quietly began warning financial institutions that jackpotting attacks have now been spotted targeting cash machines here in the United States.

To carry out a jackpotting attack, thieves first must gain physical access to the cash machine. From there they can use malware or specialized electronics — often a combination of both — to control the operations of the ATM.

A keyboard attached to the ATM port. Image: FireEye

On Jan. 21, 2018, KrebsOnSecurity began hearing rumblings about jackpotting attacks, also known as “logical attacks,” hitting U.S. ATM operators. I quickly reached out to ATM giant NCR Corp. to see if they’d heard anything. NCR said at the time it had received unconfirmed reports, but nothing solid yet.

On Jan. 26, NCR sent an advisory to its customers saying it had received reports from the Secret Service and other sources about jackpotting attacks against ATMs in the United States.

“While at present these appear focused on non-NCR ATMs, logical attacks are an industry-wide issue,” the NCR alert reads. “This represents the first confirmed cases of losses due to logical attacks in the US. This should be treated as a call to action to take appropriate steps to protect their ATMs against these forms of attack and mitigate any consequences.”

The NCR memo does not mention the type of jackpotting malware used against U.S. ATMs. But a source close to the matter said the Secret Service is warning that organized criminal gangs have been attacking stand-alone ATMs in the United States using “Ploutus.D,” an advanced strain of jackpotting malware first spotted in 2013.

According to that source — who asked to remain anonymous because he was not authorized to speak on the record — the Secret Service has received credible information that crooks are activating so-called “cash out crews” to attack front-loading ATMs manufactured by ATM vendor Diebold Nixdorf.

The source said the Secret Service is warning that thieves appear to be targeting Opteva 500 and 700 series Dielbold ATMs using the Ploutus.D malware in a series of coordinated attacks over the past 10 days, and that there is evidence that further attacks are being planned across the country.

Fraudsters dressed as ATM technicians and attached a laptop computer with a mirror image of the ATMs operating system along with a mobile device to the targeted ATM.

“The targeted stand-alone ATMs are routinely located in pharmacies, big box retailers, and drive-thru ATMs,” reads a confidential Secret Service alert sent to multiple financial institutions and obtained by KrebsOnSecurity. “During previous attacks, fraudsters dressed as ATM technicians and attached a laptop computer with a mirror image of the ATMs operating system along with a mobile device to the targeted ATM.”

Reached for comment, Diebold shared an alert it sent to customers Friday warning of potential jackpotting attacks in the United States. Diebold’s alert confirms the attacks so far appear to be targeting front-loaded Opteva cash machines.

“As in Mexico last year, the attack mode involves a series of different steps to overcome security mechanism and the authorization process for setting the communication with the [cash] dispenser,” the Diebold security alert reads. A copy of the entire Diebold alert, complete with advice on how to mitigate these attacks, is available here (PDF).

The Secret Service alert explains that the attackers typically use an endoscope — a slender, flexible instrument traditionally used in medicine to give physicians a look inside the human body — to locate the internal portion of the cash machine where they can attach a cord that allows them to sync their laptop with the ATM’s computer.

An endoscope made to work in tandem with a mobile device. Source:

“Once this is complete, the ATM is controlled by the fraudsters and the ATM will appear Out of Service to potential customers,” reads the confidential Secret Service alert.

At this point, the crook(s) installing the malware will contact co-conspirators who can remotely control the ATMs and force the machines to dispense cash.

“In previous Ploutus.D attacks, the ATM continuously dispensed at a rate of 40 bills every 23 seconds,” the alert continues. Once the dispense cycle starts, the only way to stop it is to press cancel on the keypad. Otherwise, the machine is completely emptied of cash, according to the alert.

An 2017 analysis of Ploutus.D by security firm FireEye called it “one of the most advanced ATM malware families we’ve seen in the last few years.”

“Discovered for the first time in Mexico back in 2013, Ploutus enabled criminals to empty ATMs using either an external keyboard attached to the machine or via SMS message, a technique that had never been seen before,” FireEye’s Daniel Regalado wrote.

According to FireEye, the Ploutus attacks seen so far require thieves to somehow gain physical access to an ATM — either by picking its locks, using a stolen master key or otherwise removing or destroying part of the machine.

Regalado says the crime gangs typically responsible for these attacks deploy “money mules” to conduct the attacks and siphon cash from ATMs. The term refers to low-level operators within a criminal organization who are assigned high-risk jobs, such as installing ATM skimmers and otherwise physically tampering with cash machines.

“From there, the attackers can attach a physical keyboard to connect to the machine, and [use] an activation code provided by the boss in charge of the operation in order to dispense money from the ATM,” he wrote. “Once deployed to an ATM, Ploutus makes it possible for criminals to obtain thousands of dollars in minutes. While there are some risks of the money mule being caught by cameras, the speed in which the operation is carried out minimizes the mule’s risk.”

Indeed, the Secret Service memo shared by my source says the cash out crew/money mules typically take the dispensed cash and place it in a large bag. After the cash is taken from the ATM and the mule leaves, the phony technician(s) return to the site and remove their equipment from the compromised ATM.

“The last thing the fraudsters do before leaving the site is to plug the Ethernet cable back in,” the alert notes.

FireEye said all of the samples of Ploutus.D it examined targeted Diebold ATMs, but it warned that small changes to the malware’s code could enable it to be used against 40 different ATM vendors in 80 countries.

The Secret Service alert says ATMs still running on Windows XP are particularly vulnerable, and it urged ATM operators to update to a version of Windows 7 to defeat this specific type of attack.

This is a quickly developing story and may be updated multiple times over the next few days as more information becomes available.

Tags: atm jackpotting, atm logical attacks, Daniel Regalado, Diebold Nixdorf, Diebold Opteva, endoscope, FireEye, NCR Corp, Ploutus.D, U.S. Secret Service, Windows 7, Windows XP

This entry was posted on Saturday, January 27th, 2018 at 1:45 pm and is filed under All About Skimmers, Latest Warnings, The Coming Storm. You can follow any comments to this entry through the RSS 2.0 feed. You can skip to the end and leave a comment. Pinging is currently not allowed.

  • 0

A Teachable Moment: Hospital Goes Public after Making Ransom Payment

Category : Uncategorized

It’s unusual for victims of ransomware to publicly acknowledge that they have paid hackers to go away. But a regional hospital in Indiana has made public its experience last week with a “sophisticated criminal group” as a teachable moment for other institutions faced with the vexing choice of whether to give in to the ransom demands of cybercriminals.

The Hancock Regional Hospital in Greenfield, Indiana – a general medical and surgery facility located 20 minutes from Indianapolis — was attacked last Thursday night by a ransomware called SamSam, which targeted the hospital’s “most critical” information systems including more than 1,400 files. The hospital paid the hackers about $50,000 in Bitcoin for private encryption keys to unlock its files and restore its IT network.

“My hope is that this retelling of the events will help shed light into the extraordinary efforts our organization mounted in response to a potentially disastrous event,” wrote the hospital’s Chief Executive Officer, Steve Long, in a blog post explaining his decision to go public with details of the attack and decision to make the ransomware payment.

Hancock Regional Hospital’s experience with ransomware isn’t an isolated instance. Ransomware attacks in the healthcare industry have been on the uptick. One recent survey says that ransomware attacks have increased by almost 90 percent in the sector during the past year. In 2016, the U.S. Department of Health and Human Services Office for Civil Rights issued guidance to help the industry address the threat.

The Hancock attack started last Thursday evening after IT staff at the hospital noticed “negative changes in system performance.” Moments later, messages were displayed on computer terminals throughout the hospital saying that the system was under attack and that decryption keys could be purchased with Bitcoin payable on the Dark Web. The message contained detailed payment instructions.

According to the CEO’s blog post, the hospital then shut down its network. The malware was eventually isolated at the hospital’s back-up site but by then – the electronic tunnel between the backup site and hospital had already been compromised by the hackers – which meant that purging encrypted data and replacing it with clean data was no longer a viable option.

“[T]he core components of the backup files from all other systems had been purposefully and permanently corrupted by the hackers,” wrote Long. “Thus, backup of the rest of the network systems would never have been a possibility and acquisition of the decryption keys was unavoidable.”

Long also noted that the hospital was “in a very precarious situation at the time of the attack,” between bad weather conditions and a nationwide flu epidemic. “[W]e wanted to recover our systems in the quickest way possible and … made the deliberate decision to pay the ransom to expedite our return to full operations.”

A forensic investigation determined that the hackers – most likely from Eastern European – obtained the login credentials of a vendor that provides hardware for one of the critical information systems used by the hospital. Using the stolen credentials, the hackers targeted a server in the hospital’s emergency IT backup facility.

Before paying the ransom, the hospital brought in the FBI’s cybercrime task force for “advisory assistance.”

Another Indiana hospital, Adams Memorial Hospital in Fort Wayne, also acknowledged a ransomware attack the same day and said its servers were affected but did not release additional information. A statement posted to the hospital’s website said there “no interruption in patient care or to the quality and safety of patient care was experienced … [and] we do not believe any patient information has been compromised.”

It’s not clear if the two attacks are related.

And a third healthcare company, Allscripts, also reported a ransomware attack late last week. Allscripts, a major player with its popular electronic health records and e-prescribing systems, said the attack affected the company’s data centers in North Carolina. In a statement, an Allscripts spokesperson said, “We are investigating a ransomware incident that has impacted a limited number of our applications. We are working diligently to restore these systems, and most importantly, to ensure our clients’ data is protected. Although our investigation is ongoing, there is currently no evidence that any data has been removed from our systems.”

Patterson Belknap Webb & Tyler LLP

  • 0

What Spectre and Meltdown Mean for Lawyers and Executives

Wilson Sonsini Goodrich & Rosati

In early January 2018, security researchers released their findings about vulnerabilities affecting almost all computer chips that could allow a hacker to access data stored in the memory of the chips. Dubbed “Spectre” and “Meltdown,” the vulnerabilities have caused significant alarm among security researchers and have become a top priority for chief information officers (CIOs) and chief information security officers (CISOs) to address.

For lawyers and executives who manage risk for their companies, below is an overview of the issue, legal consequences, and questions you should be asking your team.

What does this vulnerability allow?

At a high level, the vulnerability would allow a hacker to write software that could access information stored in the memory of computer chips—data previously believed to be inaccessible to such software. Data stored in the memory of chips can include a wide range of information, including usernames and passwords and other sensitive information. You can read more about the vulnerability here and here.

Is this vulnerability being exploited?

So far, researchers are reporting that they have not seen any attempts to exploit the flaw, but security experts are estimating that attackers may be able to weaponize the vulnerability in as few as 30 to 60 days. This gives companies time—albeit a short period—to address this issue.

What is being done?

You should expect multiple rounds of patches to be released to address these vulnerabilities. But as any IT professional will tell you, patching is much easier said than implemented, particularly for companies that have developed custom software or use multiple applications.

Many major software companies already have begun issuing patches for operating systems, browsers, and other software, which are designed to correct exploits based on the way the software interacts with processors.
A second round of patches will follow when major chip manufacturers release microcode updates to fix the issues at the hardware level. These fixes will require microcode and firmware updates to hardware, and implementing those changes will be more difficult because they could impact the functionality of networks and other major backbone services.
A third round of patches may occur when these microcode updates hit equipment manufacturers that will need to produce special code updates for the equipment they produce. It is likely that some manufactures will not be providing fixes for older hardware, so companies that have not been diligent in maintaining modern equipment will be stuck with purchasing new hardware or living with the long-term risk.
What are the legal consequences?

As with all risks, there is an expectation that companies take steps to mitigate them. And while lawsuits or regulatory inquiries about exploitation of these vulnerabilities may be premature, it is highly likely that companies failing to address these issues will ultimately be subject to litigation.

For tech companies whose software or hardware can be exploited by (or used to exploit) these vulnerabilities, it should be a priority to issue patches to ensure that the exploit cannot be used on its products. And for all companies, patching software is necessary to prevent the exploits from being used to steal the confidential information or personal information of customers and employees.

While the day to day management of patching will be handled by companies’ CIOs and CISOs, management should expect to get regular updates on what patches have been issued, whether they have been installed, if there are patches that have not been installed (and why), remaining gaps in patching, and what other measures are being put in place to address the vulnerability while patches are being tested.

Executives should make sure that the responsibility for making high-risk decisions—such as deciding to forgo hardware updates that might be necessary to address the vulnerability—are being made at the right level. And executives should be aware of their companies’ “security debt”—that is, what known or suspected security vulnerabilities have not been addressed and the timeline for addressing them.

Send Print Report

  • -

Beware! A new bug can crash iOS and macOS with a single text message

Tags :

Category : Uncategorized

“Be careful what you click on.” The chaiOS bug is on the loose.

“[This] link that is capable of crashing iOS and macOS when received through Apple’s Messages app.” View the article to see the link that may come across. I didn’t type it in here so as not to have it a link you may be tempted to try.

Beware! A new bug can crash iOS and macOS with a single text message

  • -

The Perks and Perils of Self-Destructing Messages

“Consider further the fact that the Department of Justice in December issued an enforcement policy urging strongly against the use of messaging applications that do not store data in a way that allows for access during a subsequent investigation.”

  • -