The troubleshooting concept ideally that bring up hypothesis boldly while prove it conscientiously and carefully. Similar concept can apply to cyber incident investigation. Found that a security vulnerability found by security researcher Christopher Domas. The Intel chips design limitation is that vulnerability exists in the Advanced Programmable Interrupt Controller (APIC), which could allow an attack against the System. The management mode (SMM) memory area used by the operating system to interface with the boot environment like BIOS, EFI, or UEFI. An attacker can exploit this vulnerability to utilize the most privileged of execution modes and potentially overwrite secure features in the boot environment. Christopher Domas exploit uses the UEFI code features to install a rootkit sucessful during his POC in Black Hat conference. From techincal point of view, this is indeed a design limitation in CPU, it looks that we are not able to using 0x06000832 memory address. Notice that a new microcode patch is going to remediate this design limitation. The hacker implant rootkit to ATM system through malware infection through CPU design bug is a possible. The remaining issue is that how to execute infection to hundreds of ATM machines. The headline news did not provide the detail, if the investigator confirm all the ATM machines are compromised. We can speculate that the malware source might hidden in their SNA server farm or internal network. The Mainframe connectivity methodology from traditional by hardware controller integrate to LU 6.2 (APPN). The Cisco network products and specifics technology DLSW (Data Link Switch) can cope with Mainframe switch major node architecture. Thereby it is hard to say that ATM machine infrastructure is running in isolate network nowadays.
For more detail about memory sinkhole attack, please refer to below URL
For details about related articles, please refer to below URL for reference.
Digital world – digital dinosaur attack Taiwan ATM machine (crooks stolen estimated T$70m (US $2.2m))
The most hottest cyber attack topics happened last week. Yes, a DDOS attack occurred on HSBC UK and US web portals. But the crooks jailbreak ATM machines in Taiwan looks more attractive. Sound amazing, traditional ATM machines communication link run on private network (Frame relay or ATM OC3). It is indeed real time transaction process working with back end Mainframe system. From security point of view, the media type of connection is restricted and such a way reduces the risks on cyber attack and virus infection. Recall ATM incident occured in 2009. Russian nationality hackers found the vulnerabilities on ATM vendor side (DIEBOLD). They develop malware form attack implant to ATM system DLL file (Dbddev.dll). It looks impossible that infect of the ATM machine with malicious program to steal credit card details and PINs. But the hackers looks great, they can hooks the ATM system process successfully and gain the privileges. ThisTrojans as Troj/Skimer-A.
How was today? The digital dinosaur attack Taiwan ATM machine, crooks stole an estimated T$70m (US $2.2m).
The ATM incident happened in Taiwan banking system not belongs to DIEBOLD. They were made by German manufacturer Wincor Nixdorf. The video playback shown that hackers steal the money from from ATM machines might relies on their smart phone. Sound strange! Right?
Virtual reality – Reflections:
1. Without insertion of ATM Card can draw the cash
Possible causes: ATM machine operation system from earlier generation of IBM OS/2 migrate to windows OS platform. Is there any vulnerabilities occurs on window OS side. A critical security flaw announced by Microsoft last week, a printer spooler bug causes privileges escalation or MS16-087 for short.
2. The video playback shown that hackers steal the money from from ATM machines might relies on their smart phone.
All ATM machines will go through backbone SNA gateway connected to backend system (Mainframe). From IT architecture point of view, SNA gateway located in data center sever farm. There is possibilities encounter malware infection during windows update processes. For example, do the DNS cache poisoning to return an incorrect IP address, diverting traffic to the counterfeit web site.
3. Well known OS platform
Windows based OS platform not difficult to implant a root kit to gain the control of the system. Hacker can through many channel to achieve their goal. For example, they will find the target person and company by SCAM mail. They can jump into the internal network and compromise the system when target person (victim) fall into their trap (compromised web site).
For more details about this incident, please refer to below URL:
Wincor-Nixdorf’s product catalog gives insight into the operating systems its ATMs currently support.
The ProCash 280 lists its compatible software as Windows XP Professional SP3, Windows POSReady 2009 and Windows 7.