FBI warns banks that crooks are planning choreographed ATM drainage

By Lisa Vaas

The FBI has alerted banks that in the coming days cybercrooks are planning to spring a highly choreographed, multinational “ATM cashout” that could drain their cash machines of millions within the span of hours.

In an ATM cashout, cybercrooks hack a bank or payment card processor, lift fraud controls such as withdrawal limits and/or account balances and/or number of daily withdrawals, outfit so-called “casher crews” with cloned cards, and send them out to simultaneously descend on cash machines and strip them of money before the banks sound the alarm and slam down the window of opportunity.

Cybercrime journalist Brian Krebs on Sunday reported that the FBI alert to banks indicated that the plot could be triggered any day now.

From the confidential alert, which was privately sent to banks on Friday:

The FBI has obtained unspecified reporting indicating cyber criminals are planning to conduct a global Automated Teller Machine (ATM) cash-out scheme in the coming days, likely associated with an unknown card issuer breach and commonly referred to as an ‘unlimited operation’.

According to Krebs, the FBI said that “unlimited operations” compromise a financial institution or payment card processor with malware to access bank customer card information and exploit network access, enabling large-scale theft of funds from ATMs.

Historic compromises have included small-to-medium size financial institutions, likely due to less robust implementation of cyber security controls, budgets, or third-party vendor vulnerabilities. The FBI expects the ubiquity of this activity to continue or possibly increase in the near future.

What kind of vulnerability, you may well ask? We have no idea. Perhaps it’s a vulnerability that’s got an inch or two of dust on it? In January, the US Secret Service sent out an alert about ATM “jackpotting” attacks that used malware known as Ploutus.D: a malware to which ATMs running Windows XP are particularly vulnerable.

Read more at https://nakedsecurity.sophos.com/2018/08/15/fbi-warns-banks-that-crooks-are-planning-choreographed-atm-drainage/

Apple Mac “zero day” hack lets you sneakily click [OK]

By Paul Ducklin

At the recent DEF CON cybersecurity conference in Las Vegas, macOS security researcher Patrick Wardle did something that the responsible disclosure doctrine says is a bit naughty.

He “dropped 0day” on Apple’s macOS, meaning that he publicly revealed an exploit for which no patch is yet available.

Exploits against unpatched vulnerabilities are known as zero-days for short, or 0days for supershort, because even an on-the-ball system administrator has had zero days to get ahead of the game with updates.

In an ideal world, Wardle would have told Apple quietly first, waited until a fix was out – or a suitable deadline had passed that implied Apple couldn’t be bothered to fix the issue – and only then gone public.

Fortunately, as zero-days hacks go, this one isn’t super-serious – a crook would have to infect your Mac with malware first in order to use Wardle’s approach, and it’s more a tweak to an anti-security trick that Wardle himself found and reported last year than a brand-new attack.

The word zero-day originates in the 1980s and 1990s software piracy scene, where crackers competed to be the first to hack a new game so it could be played illegally without paying. The speed of a crack was measured in the number of days after official release until the crack appeared, so that a same-day crack, known as a “zero-day”, was the ultimate achievement.

Read more at https://nakedsecurity.sophos.com/2018/08/14/apple-mac-zero-day-hack-lets-you-sneakily-click-ok/

Pacemaker controllers still vulnerable 18 months after flaws reported

By John E Dunn

A popular brand of heart pacemaker is still vulnerable to compromise more than a year and a half after the company that makes them was told of weaknesses in its security, researchers have claimed during a Black Hat presentation.

The product in question is the Medtronic CareLink 2090 monitor, used by doctors to control pacemaker settings, and the researchers are Billy Rios of QED Secure Solutions and Jonathan Butts of WhiteScope, both of whom have an impressive track record at finding flaws in unexpected places.

Last year the pair used a show session to highlight flaws that might allow an attacker to gain control of poorly-secured car washes, while Rios has also co-researched weaknesses in diverse devices such as electronic door security and X-ray machines.

This year’s session on pacemaker hacking sounded a lot more dangerous, however. A medical theme the pair underscored by demonstrating a separate attack on Medronic’s MiniMed insulin pump.

As reported by journalists who attended the demo, the vulnerability that makes it possible for an attacker to run malware on the CareLink 2090 is down to poor software design, primarily that software updates aren’t signed or encrypted.

This is far from an unknown issue on IoT devices, but the session wasn’t simply about what is possible so much as how the manufacturer had responded after being told of the weakness.

As of 9 August, the issue had first been reported to Medtronic 570 days ago, with a proof-of-concept 155 days ago, they said.

Read more at https://nakedsecurity.sophos.com/2018/08/14/pacemaker-controllers-still-vulnerable-18-months-after-flaws-reported/