Заголовок

ptsecurity.com

7 sins of ATM protection against logical attacks

Timur Yunusov

Senior expert

Заголовокwhoami

• Positive Technologies (from 2009)

• Application security researcher (from 2009)

• Banking systems security senior expert (from 2012)

• Big fan of #nullcon

• Always in search/research ;)

Заголовокwhoami

• Positive Technologies (from 2009)

• Application security researcher (from 2009)

• Banking systems security senior expert (from 2012)

• Big fan of #nullcon

• Always in search/research ;)10+ ATMs for the last year

ЗаголовокATM security assessment

Заголовок7 sins

• Kiosk bypass techniques

• Privilege escalation techniques

• Application control software bypass

• Network physical layer

• Device management

• Booting process

• Logical vulnerabilities

• OS / Software vulns /

Kiosk mode bypass

• Network attacks

• Hardware attacksHardware

Network

OS

ЗаголовокBlackbox

Blackbox is

dead

ЗаголовокBlackbox

Blackbox is

dead

ЗаголовокBlackbox

Blackbox is (almost)

dead (for researchers)

Have strong crypto btw

dispenser and OS?

BB is not possible

BB is possible

Yes

ЗаголовокKiosk mode bypass

Kiosk mode bypass

Windows XP/7

ЗаголовокKiosk mode bypass

•Safe mode

•Hotkeys

•Windows Plug&Play

•Race condition

ЗаголовокSafe mode

•F8 + Safe mode with command line

•DS restore mode

•AC/DC fun

ЗаголовокHotkeys

•Win+R

ЗаголовокHotkeys

•Win+R

•Alt+Tab

•Alt+F4

•Alt+Shift+ESC

•F1-F12

•Shift x5 (Windows 7 only)

•Win+(etc)

http://www.techrepublic.com/blog/windows-and-office/the-complete-list-of-windows-logo-keyboard-shortcuts/

ЗаголовокAlwaysOnTop

This ATM is Out Of Service, Sorry for inconvenience

ЗаголовокAlwaysOnTop

• Disabling mouse icon

• AlwaysOnTop

This ATM is Out Of Service, Sorry for inconvenience

ЗаголовокP&P

ЗаголовокP&P

ЗаголовокP&P video/screenshot

ЗаголовокEnd of the story

ЗаголовокPrivilege escalation techniques

• How exactly we extract money?

ЗаголовокPrivilege escalation techniques

•FS restrictions

•Local Security Policy restrictions

ЗаголовокPrivilege escalation techniques

•Arbitrary command execute - XFS API

•Command execute - priv escalation

•Write files/registry - modify sec configs

ЗаголовокPrivilege escalation techniques

•Arbitrary command execute - XFS API

•Command execute - priv escalation

•Write files/registry - modify sec configs

•Read files - ***

ЗаголовокApp control software bypass

Story so far…

• https://evi1cg.me/archives/AppLocker_Bypass_Techniques.html

• https://cansecwest.com/slides/2016/CSW2016_Freingruber_Bypassing_Application_Whitelisting.pdf

ЗаголовокSecurity software bypass

• McAfee Solidcore - https://www.ptsecurity.com/ww-en/about/news/131496/

• MS Applocker - http://www.blackhillsinfosec.com/?p=5257 – State of Art!

• etc (6 total different products) – stay tuned!

• 0days (5 total, in process of fixing): network, local, logical

• Misconfiguration

• Whitelist Memory Execution: IE, rundll32, powershell, java, etc

ЗаголовокSecurity software bypass

ЗаголовокNetwork

+ Firewall

VPN

TLS

MAC

• OS services

• Software services (Solidcore, UPDD, etc)

• Processing

• Track2

• Processing

• Track2

• Processing

ЗаголовокNetwork vulns

• VPN disabling• Logical vulns part

• TLS disabling

• MAC disabling• Files/registry manipulations

ЗаголовокNetwork/Hardware layer

•3G industrial modem• Long story short

http://blog.ptsecurity.com/2015/12/critical-vulnerabilities-in-3g4g-modems.html

•Security measures• VPN channel

• Private APN

•Result•ATM network infection

• Processing access

ЗаголовокNetwork/Hardware layer

•Access to *:80

•Auth bypass

•Physical access

•Proper VPN protocols(((

ЗаголовокDevice mgmt

How to do all hacking stuff

much easier?

ЗаголовокDevice mgmt

•Keyboard/mouse

•Teensy

•Network card• fw bypass

• plug&play

•USB drive• local access to Exe file content

• plug&play

•MS13-081

ЗаголовокBooting process

The easiest way is…

ЗаголовокBooting process

•BIOS pwd

•Network load

•Safe mode

•Physical access

•OS access• Same passwords story

•Bootkit• Software skimming

ЗаголовокLogical vulns

How it happened?

ЗаголовокLogical vulns

•Security tools runs from regedit/autorun• Shift x5

• Win+U

•Security race condition • Hash(loooooooong file)

• exploit.exe at the same time

•Ctrl+C

ЗаголовокLogical vulns

ЗаголовокLogical vulns

• VPN disabling

ЗаголовокLogical vulns

• FS access is strictly prohibited

ЗаголовокLogical vulns

• FTP is strictly prohibited!

ЗаголовокSummary

Windows 7 SP1 ATM Windows XP SP3 ATM

Kiosk bypass Hotkeys/Safe mode KeyboardDisabler bypass

App control bypass 0day/Trusted soft Untrusted booting

Privilege escalation 0day/MS15-051 Untrusted booting

VPN/TLS disabling Misconfiguration/FS Untrusted booting

Social Engineering Misconfiguration/FS -

Untrusted boot BIOS accessing from OS No password

Network attacks MAC/TLS/VPN/App service MAC/TLS/VPN/OS services

ЗаголовокHow all that happens?

•Security through obscurity is not an option!• You should know your landscape and your threat model

• Use compliance management tools instead of paper

• In case of impossibility of fixing vulns, use

mitigation measures like SIEM

ЗаголовокGreetz

• Anon guy ;-)

• Positive Technologies researchers teams:

• ICS/SCADA

• Reverse Engineering

• Banking security

ЗаголовокContacts

http://uk.linkedin.com/in/tyunusov

tyunusov@ptsecurity.com

a66at

Заголовок

Thank You!

ptsecurity.com