Russian ATMs Spit Out Cash After Malware Attack

Tyler Durden's picture

Russian daily Kommersant reports that the Bank of Russia detected malware that hides inside ATM’s operating memory which "forces" them to dispense cash to anyone who enters certain code on its keyboard. The paper cites the deputy head of information security Artem Sychev, and adds that cash machines made by NCR were among the ATMs mostly attacked.

Kommersant also writes that according to sources who received the Bank of Russia FinCert newsletter with a description of the virus, the virus in question is the so-called "Disembodied" or Bespalova virus that “lives” in ATM RAM. According to FinCert, the ATM virus was first noticed in Russia for the first time. Since the virus does not have a file body, it can not be removed by anti-virus programs and can live in infected ATM indefinitely, according to sources.

“The virus is aimed at stealing funds directly from the bank teller machine, and is activated after a specific code is punched in, at which point it gives all the cash from the first cassette dispenser, which holds most large bills (denominations of 1 thousand or 5 thousand RUB). The funds will be dispesned to anyone who puts in the proper code, but to most ordinary people it is difficult to pick up, and any attempts to figure it out may trigger the suspicion of the security services of the Bank” – said the source publication.

Sources in banks said that he was shocked by the device’s largest manufacturer of ATMs — NCR. However, Komersant notes that any ATM can be the target.

“The identified vulnerability is not specific to a particular manufacturer, since all the ATMs are running on Windows” said a sources.

Kommersant reports that the bank has not yet found a solution to removing the new virus, and adds that banks can only raise the overall level of security of their networks.

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.
Bryan's picture

What's the code, what's the code?!   And what is the current Ruble/USD exchange rate?  Inquiring minds want to know.

Bryan's picture

haha... or I was thinking something more sinister and difficult:  123456!

HowdyDoody's picture

VA22101

or

15058556744

True Blue's picture

I figured it was the same code we somehow used for our nuclear missile silos for decades - 00000000.

froze25's picture

That Jenny at it again.

Ferrari's picture

Your tax dollars hard at work.

Belrev's picture

Russian hackers going after Trump friendly banks. Makes sense.

Snaffew's picture

I got It!  I got It!  I got your number on the wall!!

Jack Offelday's picture

p@ssw0rd... just ask john podesta

HRH Feant's picture
HRH Feant (not verified) Bryan Mar 20, 2017 7:03 PM

Ya, I want that code too!

Current exchange rate of Ruble to USD is 57 rubles to one USD. I use the Kitco app. It shows PM prices, currencies, USD rate. Pretty basic app. I check it a few times a day.

SallySnyd's picture

"since all the ATMs are running on Windows"

 

Here is an article that looks the link between Microsoft and the global movement to end cash:

 

http://viableopposition.blogspot.ca/2017/03/the-better-than-cash-alliance.html

 

The concept of a cash-free society is being sold to us on the premise improving economic well-being and inclusiveness.

E.F. Mutton's picture

We have Malware in our system too.  It spits out cash to anyone willing to stay home and vote "D"

BorisTheBlade's picture

Ds have certainly an ability to dispense someone else's cash whenever they get close to the spigot. And this, perhaps, is the answer that uncle Biden has promised not so long ago: http://www.seattletimes.com/nation-world/biden-drops-hint-of-cyberstrike-to-answer-russian-hacking/

Yes We Can. But Lets Not.'s picture

Ah, another reason to get rid of cash.

Justin Case's picture

I bet you'd have a different opinion if it spit out all the cash on yoar lap.

Libtard's picture

The Russians did it! Oh wait....

SoDamnMad's picture

No, Soros did it. Drone Soros. US and Russia put a bounty on him or have a competition. What country can drone him successfully. Gotta have parts of a body to collect the gold. Crowd Fund. Crowd Fund this. 

moorewasthebestbond's picture

New headline:

 

"The Americans did it!"

LA_Goldbug's picture

"and adds that cash machines made by NCR were among the ATMs mostly attacked."

:-)

https://arstechnica.com/security/2017/03/after-nsa-hacking-expose-cia-st...

which operating system is in there probable ?

http://money.cnn.com/2014/03/04/technology/security/atm-windows-xp/

adr's picture

Call it the NCR engineer retirement fund. 

It would be pretty easy for an employee who works on the machines to add some malicious code during the initial manufacturing of the ATMs. 

The security and background checks on the people that work at Diebold is insane, but it didn't stop some of the engineers from building hacks like that into the machines. A few guys were caught not long ago. I think they added some code that would spit out 20s instead of tens if you put in a specific number. 

They do things like this just in case they get H1b'd. 

BlindMonkey's picture

You are missing the detail that the code DOES NOT have an associated file.  It is a network based attack and the code stays resident in memory.  There is NOTHING to find or clean on the OS so your attack vector isn't even possible.  

 

The only way to secure from this is to beef up the rule set on the network firewalls and reboot the ATM to remove the code from memory and not let it get infected again.

BorisTheBlade's picture

No idea why you've been downvoted. That's one tricky piece of malware not detected by antivirus programs. Skimming at least requires something to be inserted into ATM, i.e. physical access. This type of attack requires no physical access to ATM whatsoever, pretty sophisticated.

Sabibaby's picture

The code needs to be punched into the ATM so physical access is needed, and just because it was bypassed by AV doesn't meen there's any thing sophisticated except that there's no definition for it yet.

BorisTheBlade's picture

Not necessarily. The thing is, ATMs connect via cellular network and possible vulnerability within some communication modules would eliminate the need to upload the code physically. At no point regarding this new malware either by Russian CB or security experts there was any mention of the need for physical access, it was stressed however that this new malware does not require physical access, constitutes a new type of attack that is performed distantly and targets not client money, but the cash within ATM itself.

Sabibaby's picture

If there's no physical access then what's the point?The money is dispensed at the machine....

BorisTheBlade's picture

The point is the bank won't know ATM is compromised until there's an irregular transaction, which is not immediately. With other attacks there are physical clues, with this one there are none.

Sabibaby's picture

I thought the point was to punch in a code to get free money EDIT You're  talking about how the virus spreads....Ok,well duh! Yes,it spreads over a network...

 

BorisTheBlade's picture

My bad, of course digits will have to be punched to withdraw.

just the tip's picture

so, why not call it the deep state virus?

itstippy's picture

Putin is responsible for all Russian hacking, just as Obama is responsible for all USA wiretapping.  While Obama was in the Oval Office with his headphones on listening to Donald Trump's phone calls, Putin was busy in the Kremlin basement hacking his nation's ATM machines.  The scoundrels!

We need a hard-hitting and painfully honest investigative journalist like Brian Williams to look into this skulduggery.

Snaffew's picture

do you really think that if the Russians were hacking anything in the US, that they would leave a distinctly Russian Malware signature?  That is a mistake Putin's team would not make and that is exactly the type of fingerprint the CIA/NSA would insert into their own code to "Validate' a Russian fingerprint.  I'm no fan of Trump, but this is a ridiculous warmongering attempt to destabilize US/Russian diplomacy.

Snaffew's picture

sry---i can see that you think the whole thing is redick...but many actually believe this fodder.

ThanksIwillHaveAnother's picture

Ah, turn off ATM then turn back on.  Unless virus in ROM chip from NCR factory.

Yen Cross's picture

  Those awnry Ruskies, testing the Squid ATM's.  I love it!

Oswald did it's picture

This makes no sense I call bs

 

ReZn8r's picture

cry me a river, too bad for the banks. I half way expect to read a story reporting that BOA/Citi etc were hacked and the crooks made off with all the money. Of course that will be fake news, because the truth will be the banksters robbed their own banks! Thusly fucking the People again.

CHoward's picture

That damn kid in Hoboken is at it again.  Shame on him.  Can't anyone stop him?!?

bluez's picture

I read not very long ago that most ATMs are still using Windows XP, and that the banks are paying a fortune to Microsoft for special access to security patches that are not available to the rest of us.

The "fileless" Trojans are a new breed that do not touch the hard drive, and just live in volatile memory. They can be patched and fixed, but are significantly harder to detect.

You would think they would be using a hardened operating system like OpenBSD. But no, gotta have Windows XP. Probably powered by the ancient COBOL language as well.

BetterRalph's picture

part of me starts to not care when I realize they ALWAYS PUT FRESH PRINTED MONEY IN THERE.