ULTIME NEWS: Gyala riconosciuta Sample Vendor nel documento “Emerging Tech: AI in CPS Security” di Gartner Leggi

Cyber Security in the Financial Market

The new challenges

The “stress test” on cyber resilience, which the ECB conducted and concluded in July 2024 on 109 banks, 28 of which were more thoroughly investigated. The objective was to assess the resilience of structures following a (simulated) attack targeting the banking institution, in order to counter which banks had to activate response and continuity plans: mitigation, restoration, management communications (internal, customers, suppliers and law enforcement).

The report will be reported in the SREP 2024 (Supervisory Review and Evaluation Process) which aims to indicate the priorities for 2024-2026: The main purpose of the ECB’s strategic banking supervision planning is to develop a sound strategy for the next three years. The following priorities will aim to promote efficiency and consistency in the supervisory planning of the Joint Supervisory Teams (JSTs) and support a more efficient allocation of resources, in line with the setting of the corresponding risk tolerance levels.

In the context of the SSM supervisory priorities for 2024-2026, supervised institutions will primarily be asked to strengthen their resilience to immediate macro-financial and geopolitical shocks (Priority 1), as well as accelerate the effective remediation of shortcomings in governance and the management of C&E risks (Priority 2) and make further progress in their digital transformation and building robust operational resilience frameworks (Priority 3)”. (fonte ECB Banking Supervision)

The analysis is a close consequence of a significant increase in reports of attacks sent to the ECB by financial institutions, of which are accomplice the infrastructural deficiencies of the institutions as EoL systems (that is obsolete and in Endo Of Life) and a growing use of the Cloud – with the difficulty of managing the supply chain security of third-party suppliers.

Let’s look into the reasons for this protection race

Earlier this year, the ECB had stated-after inspecting 22 banks in 11 countries. “The deficiencies were more serious and widespread than expected. Weaknesses were found in all areas of cybersecurity,” and urged to take effective and effective countermeasures to raise defenses, introduced the stress test activity – then conducted — to analyze and then give directives to close those gaps.

Geopolitics and Cybersecurity: a context of growing tension

Geopolitical instability contributes to amplifying cyber risk: rival nations, state-sponsored attack groups and criminal organizations know that to destabilize the markets of countries they intend to attack, banks are a target to be privileged.

In this scenario, resilience is not limited to prevention: institutions must be prepared to respond effectively and ensure continuity of services even in the event of an accident. The concept of “presumption-infringement” becomes crucial. It’s not just about avoiding the attack but being ready to respond quickly to reduce damage.

The weak link in the chain: ATM

Among the most exposed endpoints are the ATM (ATMs). This is because they manage “sensitive” information like card numbers and access codes, are physically accessible by anyone and have (too often) outdated software and hardware systems. Two recent case studies from Europe:

Jackpotting attack in Spain (2023)

In 2023, Spain was the victim of a series of jackpotting attacks, which targeted ATMs located in tourist destinations, taking advantage of the less vigilance in places with higher crowds. The attackers used an updated variant of the Cutlet Maker malware, which allowed them to take control of ATMs: Through the use of physical devices connected to the ATMs, they were able to send commands to the ATM’s to disburse large sums of money without the need for cards or PINs. The criminal group responsible for the attacks has operated in an organized way, sending so-called “mules” to collect money in several Spanish cities. The bank involved responded quickly, but the damage was significant, with losses exceeding €1 million.

Multivector Malware Attack in Italy (2022)

In 2022, several banking institutions in Italy were hit by a multivector type malware attack, which combined jackpotting and phishing techniques to compromise ATMs across the country. Hackers have introduced malware directly into the banks’ ATMs through their internal network, exploiting vulnerabilities in the software of ATMs, many of which still use outdated operating systems such as Windows XP.

The malware, a variant of the well-known Ploutus-X, allowed attackers to remotely check ATMs and synchronize the disbursement of money with the arrival of accomplices waiting on the spot to withdraw cash. The hallmark of this attack was the use of phishing emails to penetrate bank networks and gain access to ATMs.

In response to this attack, Italian banks have launched a series of software updates and strengthened staff training to prevent future breaches. In general, there are many types of attacks on ATM: ATM jackpotting with the variant FiXS or Transaction Reversal Fraud, and the latest threat – it’s called EU ATI Malware (available on the dark web) – promises to withdraw up to $30,000 from a single counter (the news comes from DailyDarkweb site which gives it a 99% success rate).

What are the main weaknesses of ATMs?

Recent analyses have revealed:

  1. Obsolete operating systems

Many ATMs use old and no longer supported operating systems, such as Windows XP or Windows 7, which do not receive security updates. These systems are particularly vulnerable to malware and cyber-attacks.

  1. Network connections are not secure

The ATM often communicates with banking networks via connections that are not always properly encrypted or secured. Hackers can intercept these communications by placing malicious commands or manipulating the transmitted data, with man-in-the-middle attacks or remote attacks such as jackpotting.

  1. Direct physical access

The ATM is a physical device accessible to the public, which makes it vulnerable to hardware manipulation. Hackers can install devices such as skimmer (to capture card data) or black box (devices that simulate bank control), physically accessing the ATM to connect malicious tools.

  1. Lack of real-time monitoring

Many ATMs do not have real-time monitoring systems that can detect abnormal behaviour. This means that an attack can happen without the bank or authorities immediately noticing it, allowing hackers to act undisturbed.

  1. Insufficient physical security

Cash machines in isolated or poorly guarded locations are easier to compromise. The absence of cameras, alarms, or additional physical protection (such as armour) makes tampering easier.

  1. Lack of data encryption

Some ATMs do not use encryption properly to protect information transmitted between the ATM and the bank. This makes it possible for hackers to intercept and manipulate transaction data, such as card numbers or PINs, during the transfer.

  1. Vulnerabilities of ATM software

The ATMs use specific software for cash delivery and transaction management. If this software contains bugs or security flaws, hackers can exploit them to gain access to the system, manipulate transactions, or force money out through jackpotting.

  1. Using unprotected devices

ATM peripherals such as card readers and keyboards can be easily tampered with. For example, pin pad overlays are devices superimposed on real keyboards that record the PIN numbers typed by customers, while card skimmers capture magnetic card data during normal use.

  1. Third party suppliers not controlled

Gli ATM sono spesso gestiti da terze parti, e la gestione della sicurezza lungo la catena di fornitura può essere problematica. Gli hacker possono sfruttare vulnerabilità nei fornitori o nei tecnici responsabili della manutenzione.

  1. Security patches not applied

Banks and ATM operators do not always apply security patches issued by software and hardware suppliers in a timely manner. This delay allows hackers to exploit known vulnerabilities to attack ATMs before they are resolved.

These weaknesses represent a large attack surface that, if not adequately protected, can be exploited to compromise ATM systems.

AGGER: Gyala’s answer

AGGER, Gyala’s cyber security solution offers a range of tools that go beyond simple attack prevention to proactive and automated threat management. Agger identifies, detects and manages all the devices; controls and prevents the execution of attacks on the operating system (also legacy); thanks to Machine Learning, analyzes the behavior of the device to identify anomalies. For example, a mouse acting as a keyboard.

Agger’s strengths:

  1. Advanced and customized detection and reaction automation: AGGER allows to configure custom rules at the level of individual end points to meet the operational needs of financial institutions.
  2. Complete integration: The software can collect and analyze logs from any existing cybersecurity system, improving the effectiveness and visibility of security operations.
  3. Real-time monitoring of IT and OT: AGGER can monitor both IT and OT networks, a key feature for institutions operating critical infrastructures.
  4. Operational resilience and risk mitigation: With its machine learning tools, AGGER can detect anomalies and threats promptly, reducing response times and increasing the resilience of institutions.
  5. Legacy Support: Agger can support any Legacy system at OT level: we currently support Windows, Linux and MacOS systems. We also develop agents and connection interfaces for specific needs.