Diebold Nixdorf warns of a new class of ATM 'black box' attacks across Europe

New ATM black box (jackpotting) attacks have been spotted in Belgium.

atm-keypad-sferrario.jpg

ATM maker Diebold Nixdorf is warning banks of a new type of ATM "black box" attack that was recently spotted used across Europe.

ATM "black box" attacks are a type of jackpotting attack -- when cybercriminals make an ATM spit out cash. A jackpotting attack can be executed with malware installed on an ATM, or by using a "black box."

A black box attack is when an intruder unfastens an ATM outer case to access its ports or cuts a hole in the casing for direct access to its internal wiring or other hidden connectors.

Using these access points, the attacker then connects a "black box" device -- usually a laptop or Raspberry Pi board -- to the ATM's internal components, which they use to send commands to the ATM's cash dispenser and release cash from the storage cassettes.

ATM black box jackpotting attacks have been taking place for more than a decade. They've been extremely popular with criminal gangs as the technique is both cheaper and simpler to execute than using ATM skimming equipment, cloning cards, and having to launder the money -- a process that usually takes months to complete.

Black box attacks allow lower-skilled threat actors to quickly purchase the black box equipment and malware they need and start jackpotting ATMs within days.

New novel attack targets ProCash 2050xe ATMs

In a security alert sent on Wednesday, Diebold Nixdorf, the world's largest ATM maker, said its investigators have become aware of a new variation of black box attacks that is being used in certain countries across Europe.

Diebold Nixdorf says the new attacks have been observed used only against ProCash 2050xe ATM terminals [PDF], with the attackers connecting to the device via USB ports. The company explains:

wincor-nixdorf-procash-2050xe.jpg

Diebold Nixdorf PRoCash 2050xe ATM

Image: Diebold Nixdorf, CGTrader

"In the recent incidents, attackers are focusing on outdoor systems and are destroying parts of the fascia in order to gain physical access to the head compartment. Next, the USB cable between the CMD-V4 dispenser and the special electronics, or the cable between special electronics and the ATM PC, was unplugged. This cable is connected to the black box of the attacker in order to send illegitimate dispense commands."

But this was not the technique that caught Diebold Nixdorf's attention. While attackers usually deployed malware or their own code to interact with the ATM cash dispenser component, the ATM vendor said that during these recent attacks the perpetrators appear to have obtained a copy of the ATM software (firmware), which they've installed on the black box and were using to interact with the cash dispenser.

"The investigation into how these parts were obtained by the fraudster is ongoing," the company said. Currently, Diebold Nixdorf believes the attackers might have connected to an ATM and found its software stored insecurely on an unencrypted hard disc.

Technique used in recent attacks across Belgium

A source in the banking industry has told ZDNet today that the Diebold Nixdorf alert is the direct result of an investigation into a series of ATM jackpotting attacks that took place in Belgium last month, in June 2020.

The attacks forced Belgian savings bank Argenta to shut down 143 ATMs last month after suffering two mysterious ATM jackpotting attacks, one in June, and one last weekend.

The attacks, considered the first jackpotting incidents in Belgium's history, used the same technique described in the Diebold Nixdorf alert, with the attackers connecting to the ATM via USB and emptying the cash dispenser. Only Diebold Nixdorf ATMs were attacked, according to the Brussels Times, who reported on the incidents.

In an interview today, Manuel Pintag, a cybersecurity analyst and banking fraud expert for Telefonica, told ZDNet that this particular technique had been seen before, although not across Europe but in Latin America.