RIPPER Malware Attacks Thai ATMs

The new RIPPER malware is allowing crime groups to target ATMs. It is believed to have successfully dispensed bank notes illicitly in Thailand, with criminals making off with some 12 million baht (A$460,000). Kevin Bocek at Venafi commented below.

Kevin Bocek, Vice President, Security Strategy & Threat Intelligence at Venafi:

“Cybercriminals are feeling the squeeze as EMV chip technology and more advanced detection methods spot attacks on customers. The rise in malware attacking POS and ATMs is not surprising and is part of natural criminal cycle. Block a criminal on one street, they move to the next. Retailers and banks are now seeing a new generation of POS and ATM attacks using malware that operates intelligently to evade detection. Hackers today don’t just want to infect; they want to own and control. In the latest ATM attacks, RIPPER even goes so far as to shutdown its network to make sure no signs of malicious activity are detected or reported.

POS and ATM devices were the original Internet of Things (IOT). Understanding how these attacks are playing out indicates how hackers will target high value IOT, including those that process transactions and other activities of value. Retailers are now understanding that every piece of code that runs on a POS must be digitally signed to establish if it is trusted or not. Banks need to understand the same for ATMs. Smartphones and tablet do this today – only running code authenticated by digital certificates – banks and retailers have to catchup. This model of trust has been backed in to these new devices and now needs to be applied to high value IOT like ATMs and POS. This will also mean that banks and retailers will have to take seriously protecting the keys and certificates: know where they are used, change them regularly, and continuously monitor.

From Stuxnet that damaged the Iranian nuclear program through to Carbanak group that stole up to $1B from the inside of European banks, keys and certificates have been used to enable attacks. Applying lessons from these attacks will not only help protect banks and retailers with ATMs and POS, but also longer term IOT networks where ransom and disruption are likely part of the next evolution in the threatscape.”