‘Jackpotting’ hackers steal over $1 million from ATM machines across U.S.: Secret Service

A hooded man holds a laptop computer as blue screen with an exclamation mark is projected on him in this illustration picture taken on May 13, 2017.

By Dustin Volz

WASHINGTON (Reuters) – A coordinated group of hackers likely tied to international criminal syndicates has pilfered more than $1 million by hijacking ATM machines across the United States and forcing them to spit out bills like slot machines dispensing a jackpot, a senior U.S. Secret Service official said on Monday.

Within the past few days there have been about a half-dozen successful “jackpotting” attacks, the official said.

The heists, which involve hacking ATMs to rapidly shoot out torrents of cash, have been observed across the United States spanning from the Gulf Coast in the southern part of the country to the New England region in the northeast, Matthew O’Neill, a special agent in the criminal investigations division, told Reuters in an interview.

The spate of attacks represented the first widespread jackpotting activity in the United States, O’Neill said. Previous campaigns have been spotted in parts of Europe and Latin America in recent years.

“It was just a matter of time until it hit our shores,” O’Neill said.

Diebold Nixdorf Inc and NCR Corp, two of the world’s largest ATM makers, warned last week that cyber criminals are targeting ATMs with tools needed to carry out jackpotting schemes.

The Diebold Nixdorf alert described steps that criminals had used to compromise ATMs. They include gaining physical access, replacing the hard drive and using an industrial endoscope to depress an internal button required to reset the device.

A confidential U.S. Secret Service alert seen by Reuters and sent to banks on Friday said machines running XP were more vulnerable and encouraged ATM operators to update to Windows 7 to protect against the attack, which appeared to be targeting ATMs typically located in pharmacies, big box retailers and drive-thrus.

While initial intelligence suggested only ATMs running on outdated Windows XP software were being targeted, the Secret Service has seen successful attacks within the past 48 hours on machines running updated Windows 7, O’Neil said.

“There isn’t one magic solution to solve the problem,” he said.

A local electronic crimes task force in the Washington, D.C., metropolitan area first reported an unsuccessful jackpotting attempt last week, O’Neill said.

A few days later another local partner witnessed similar activity and “developed intelligence” that indicated a sustained, coordinated attack was likely to occur over the next two weeks, O’Neill said. He declined to say where that partner was located.

Jackpotting has been rising worldwide in recent years, though it is unclear how much cash has been stolen because victims and police often do not disclose details.

(Reporting by Dustin Volz in Washington, D.C.; Editing by David Gregorio)

ATM makers warn of ‘jackpotting’ hacks on U.S. machines

: A man types on a computer keyboard in front of the displayed cyber code in this illustration picture taken on March 1, 2017.

By Jim Finkle

(Reuters) – Diebold Nixdorf Inc and NCR Corp, two of the world’s largest ATM makers, have warned that cyber criminals are targeting U.S. cash machines with tools that force them to spit out cash in hacking schemes known as “jackpotting.”

The two ATM makers did not identify any victims or say how much money had been lost. Jackpotting has been rising worldwide in recent years, though it is unclear how much cash has been stolen because victims and police often do not disclose details.

The attacks were reported earlier on Saturday by the security news website Krebs on Security, which said they had begun last year in Mexico.

The companies confirmed to Reuters on Saturday they had sent out the alerts to clients.

NCR said in a Friday alert that the cases were the first confirmed “jackpotting” losses in the United States. It said its equipment had not been targeted in the recent attacks, but that it was still a concern for the entire ATM industry.

“This should be treated by all ATM deployers as a call to action to take appropriate steps to protect their ATMs against these forms of attack,” the alert said.

Diebold Nixdorf said in a separate Friday alert that U.S. authorities had warned the company that hackers were targeting one of its ATM models, known as Opteva, which went out of production several years ago.

A confidential U.S. Secret Service alert sent to banks said the hackers targeted stand-alone ATMs typically located in pharmacies, big box retailers and drive-thru ATMs, Krebs on Security reported.

Diebold Nixdorf’s alert described steps that criminals had used to compromise ATMs. They include gaining physical access, replacing the hard drive and using an industrial endoscope to depress an internal button required to reset the device.

Reuters was unable to obtain a copy of the Secret Service report and an agency representative declined comment. Officials with the Federal Bureau of Investigation could not immediately be reached.

Russian cyber security firm Group IB has reported that cyber criminals remotely attacked cash machines in more than a dozen countries across Europe in 2016. Similar attacks were also reported that year in Thailand and Taiwan.

(Reporting by Jim Finkle in Toronto; Additional reporting by Dustin Volz in Washington; Editing by Susan Thomas)

U.S. government warns businesses about cyber bug in Intel chips

U.S. government warns businesses about cyber bug in Intel chips

By Stephen Nellis and Jim Finkle

(Reuters) – The U.S. government on Tuesday urged businesses to act on an Intel Corp alert about security flaws in widely used computer chips as industry researchers scrambled to understand the impact of the newly disclosed vulnerability.

The Department of Homeland Security gave the guidance a day after Intel said it had identified security vulnerabilities in remote-management software known as “Management Engine” that shipped with eight types of processors used in business computers sold by Dell Technologies Inc, Lenovo Group Ltd, HP Inc, Hewlett Packard Enterprise Co and other manufacturers.

Security experts said that it was not clear how difficult it would be to exploit the vulnerabilities to launch attacks, though they found the disclosure troubling because the affected chips were widely used.

“These vulnerabilities affect essentially every business computer and server with an Intel processor released in the last two years,” said Jay Little, a security engineer with cyber consulting firm Trail of Bits.

For a remote attack to succeed, a vulnerable machine would need to be configured to allow remote access, and a hacker would need to know the administrator’s user name and password, Little said. Attackers could break in without those credentials if they have physical access to the computer, he said.

Intel said that it knew of no cases where hackers had exploited the vulnerability in a cyber attack.

The Department of Homeland Security advised computer users to review the warning from Intel, which includes a software tool that checks whether a computer has a vulnerable chip. It also urged them to contact computer makers to obtain software updates and advice on strategies for mitigating the threat. (http://bit.ly/2zqhccw)

Intel spokeswoman Agnes Kwan said the company had provided software patches to fix the issue to all major computer manufacturers, though it was up to them to distribute patches to computers users.

Dell’s support website offered patches for servers, but not laptop or desktop computers, as of midday Tuesday. Lenovo offered fixes for some servers, laptops and tablets and said more updates would be available Friday. HP posted patches to its website on Tuesday evening.

Security experts noted that it could take time to fix vulnerable systems because installing patches on computer chips is a difficult process.

“Patching software is hard. Patching hardware is even harder,” said Ben Johnson, co-founder of cyber startup Obsidian Security.

(Reporting by Stephen Nellis; Editing by Cynthia Osterman and Grant McCool)

Travelers says it is in ‘right spot’ for cyber insurance exposure

Travelers says it is in 'right spot' for cyber insurance exposure

By Suzanne Barlyn

(Reuters) – Travelers Cos Inc <TRV.N> plans to stick to its recent growth pace for sales of cyber insurance, which protects businesses against hacking and other liabilities, despite potential to boost it, as the insurer assesses risks in the segment, its head of specialty insurance said on Monday.

“We feel like we’re just in the right spot,” Thomas Kunkel, the insurer’s president of bond and specialty insurance, said during an investor meeting in Connecticut.

Travelers has increased its cyber business at a 40 percent compound annual growth rate since 2011 and could quicken the pace, Kunkel said. “It would not be hard,” he said.

But Travelers must be “respectful and prudent” about the risks involved in cyber, Kunkel said.

Insurers have said the growing sophistication of hackers alongside a still-evolving cyber insurance industry makes it difficult to quantify their potential cyber-related losses.

About three-quarters of cyber policies that Travelers writes cover up to $1 million in damages, while nearly a quarter cover between $1 million and $5 million, the company said.

“We manage our limits very closely,” Kunkel said.

Equifax Inc <EFX.N>, which compiles credit information about consumers and assigns them scores, disclosed in September that cyber criminals had breached its systems between mid-May and late July and stolen the sensitive information of 145.5 million people. The hack is among the largest ever.

Regulation will also drive demand for cyber insurance, particularly in the financial services sector, Fitch Ratings said in a report on Monday.

“As the cyber insurance market develops, competition is likely to erode profit margins,” Fitch said.

Some insurers who ultimately enter the cyber market may lack underwriting experience and take on risks that could exceed their capital, Fitch said.

Events that could trigger large claims include cyber attacks on electronic grids and transportation systems, or hacks of large data storage clouds, Fitch said.

Insurer American International Group Inc <AIG.N> said on Oct. 26 that it was reviewing all types of coverage it offers to gauge its exposure to cyber risk.

AIG will start including cyber coverage as part of its commercial casualty insurance during the first quarter of 2018, Tracie Grella, global head of cyber risk insurance, said at the time.

The move would boost rates but also make it clearer how customers are covered if they are the victim of a security breach.

Many commercial insurers offer stand-alone cyber coverage, but it is not yet a standard addition to most other policies, such as property and casualty.

(Reporting by Suzanne Barlyn in New York; Editing by Lisa Von Ahn and Matthew Lewis)

NotPetya hackers likely behind BadRabbit attack: researchers

NotPetya hackers likely behind BadRabbit attack: researchers

By Jack Stubbs

MOSCOW (Reuters) – Technical indicators suggest a cyber attack which hit Russia and other countries this week was carried out by hackers behind a similar but bigger assault on Ukraine in June, security researchers who analyzed the two campaigns said on Wednesday.

Russia-based cyber firm Group-IB said the BadRabbit virus used in this week’s attack shared a key piece of code with the NotPetya malware that crippled businesses in Ukraine and worldwide earlier this year, suggesting the same group was responsible.

The BadRabbit attack hit Russia, Ukraine and other countries on Tuesday, taking down Russia’s Interfax news agency and delaying flights at Ukraine’s Odessa airport.

Multiple cyber security investigators have linked the two attacks, citing similarities in the malware coding and hacking methods, but stopped short of direct attribution.

Still, experts caution that attributing cyber attacks is notoriously difficult, as hackers regularly use techniques to cover their tracks and sometimes deliberately mislead investigators about their identity.

Security researchers at Cisco’s Talos unit said BadRabbit bore some similarities with NotPetya as they were both based on the same malware, but large parts of code had been rewritten and the new virus distribution method was less sophisticated.

They confirmed BadRabbit used a hacking tool called Eternal Romance, believed to have been developed by the U.S. National Security Agency (NSA) before being stolen and leaked online in April.

NotPetya also employed Eternal Romance, as well as another NSA tool called Eternal Blue. But Talos said they were used in a different way and there was no evidence Bad Rabbit contained Eternal Blue.

“It is highly likely that the same group of hackers was behind (the) BadRabbit ransomware attack on Oct. 25, 2017 and the epidemic of the NotPetya virus, which attacked the energy, telecommunications and financial sectors in Ukraine in June 2017,” Group-IB said in a technical report.

Matthieu Suiche, a French hacker and founder of the United Arab Emirates-based cyber security firm Comae Technologies, said he agreed with the Group-IB assessment that there was “serious reason to consider” that BadRabbit and NotPetya were created by the same people.

But some experts have said the conclusion is surprising as the NotPetya attack is widely thought to have been carried out by Russia, an allegation Moscow denies.

Ukrainian officials have said the NotPetya attack directly targeted Ukraine and was carried about by a hacking group widely known as Black Energy, which some cyber experts say works in favor of Russian government interests. Moscow has repeatedly denied carrying out cyber attacks against Ukraine.

The majority of BadRabbit’s victims were in Russia, with only a few in other countries such Ukraine, Bulgaria, Turkey and Japan.

Group-IB said some parts of the BadRabbit virus dated from mid-2014, however, suggesting the hackers used old tools from previous attacks. “This corresponds with BlackEnergy timeframes, as the group started its notable activity in 2014,” it said.

(Additional reporting by Eric Auchard; Editing by Jim Finkle/Mark Heinrich)

Adobe warns that hackers are exploiting its Flash software

The logo of the anti-virus firm Kaspersky Lab is seen at its headquarters in Moscow, Russia September 15, 2017

TORONTO (Reuters) – Adobe Systems Inc warned on Monday that hackers are exploiting vulnerabilities in its Flash multimedia software platform in web browsers, and the company urged users to quickly patch their systems to prevent such attacks.

The warning came after cyber security firm Kaspersky Lab Inc said a group it was tracking, BlackOasis, used the previously unknown weakness on Oct. 10 to plant malicious software on computers before connecting them back to servers in Switzerland, Bulgaria and the Netherlands.

Kaspersky said the malware, known as FinSpy or FinFisher, is a commercial product typically sold to nation states and law enforcement agencies to conduct surveillance.

Kaspersky said its assessment of BlackOasis shows it is targeting Middle Eastern politicians and United Nations officials engaged in the region, opposition bloggers and activists, and regional news correspondents with the latest version of FinSpy.

The company said victims have so far been observed in Russia, Iraq, Afghanistan, the United Kingdom, Iran and elsewhere in Africa and the Middle East.

Adobe said it had released a Flash security update to fix the problem, which affected Google’s Chrome and Microsoft’s Edge and Internet Explorer browsers as well as desktop versions.

Adobe said in July that by the end of 2020 it would retire its once-ubiquitous technology used to power most of the media content found online.

It was heavily criticized by late Apple CEO Steve Jobs, with alternatives such as HTML5 emerging in recent years and several web browsers now requiring users to enable Flash before running it.

On Google’s Chrome, the most popular web browser, Flash was used daily by 17 percent of desktop users, down from 80 percent in 2014, Google said at the time Adobe announced its retirement.

 

(Reporting by Alastair Sharp in Toronto, additional reporting by Sonam Rai in Bengaluru; Editing by Sriraj Kalluvila and David Gregorio)

 

Trump administration to order agencies to adopt new email security standards

Jeanette Manfra, Acting Deputy Undersecretary for Cybersecurity at the DHS, testifies about Russian interference in U.S. elections to the Senate Intelligence Committee in Washington, U.S., June 21, 2017.

By Dustin Volz

WASHINGTON (Reuters) – The Trump administration on Monday will order federal agencies to adopt common email security standards in an effort to better protect against hackers, a senior Department of Homeland Security official said.

DHS Assistant Secretary for Cybersecurity Jeanette Manfra, speaking at an event in New York, said the agency would issue a binding directive to require implementation of two cyber security measures, known as DMARC and STARTTLS, intended to guard against email spoofing and phishing attacks.

The new requirements are “discrete steps that have scalable, broad impact” that will improve federal government cyber security, Manfra said.

DMARC, or domain-based message authentication, reporting and conformance, is a popular technical standard that helps detect and block email impersonation, such as when a hacker might try to pose as a government official or agency.

STARTTLS is a form of encryption technology that protects email traveling between servers, making it more difficult for a third-party to intercept.

 

(Reporting by Dustin Volz; Editing by Chizu Nomiyama and Bill Trott)

 

Researchers uncover flaw that makes Wi-Fi vulnerable to hacks

A magnifying glass is held in front of a computer screen in this picture illustration taken in Berlin May 21, 2013

(Reuters) – Belgian researchers have discovered a flaw in a widely used system for securing Wi-Fi communications that could allow hackers to read information that was previously understood to be encrypted, or infect websites with malware, they said on Monday.

Researchers Mathy Vanhoef and Frank Piessens of Belgian university KU Leuven disclosed the bug in the WPA2 protocol, which secures modern Wi-Fi systems used by vendors for wireless communications between mobile phones, laptops and other connected devices with Internet-connected routers or hot spots.

“If your device supports Wi-Fi, it is most likely affected,” they said on a website, www.krackattacks.com, that they set up to provide technical information about the flaw and methods for attacking vulnerable devices.

It was not immediately clear how difficult it would be for hackers to exploit the bug, or if the vulnerability has previously been used to launch any attacks.

The Wi-Fi Alliance, an industry group that represents hundreds of Wi-Fi technology companies, said the issue “could be resolved through a straightforward software update.”

The group said in a statement it had advised members to quickly release patches and recommended that consumers quickly install those security updates.

 

 

(Reporting by Jim Finkle in Toronto; editing by Susan Thomas)

 

Joint Strike Fighter plans stolen in Australia cyber attack

Two Lockheed Martin Corp F-35 stealth fighter jets fly to the Avalon Airshow in Victoria, Australia, March 3, 2017. Australian Defence Force/Handout via REUTERS

By Tom Westbrook

SYDNEY (Reuters) – A hacker stole non-classified information about Australia’s Joint Strike Fighter program and other military hardware last year after breaching the network of a defense contractor, the defense industry minister said on Thursday.

About 30 gigabytes of data was stolen in the cyber attack, including details of the Joint Strike Fighter warplane and P-8 Poseidon surveillance plane, according to a presentation on the hack by a government official.

“Fortunately the data that has been taken is commercial data, not military data … it’s not classified information,” Defence Industry Minister Christopher Pyne told Australian Broadcasting Corporation (ABC) Radio.

“I don’t know who did it.”

In a presentation to a conference in Sydney, an official from the Australian Signals Directorate (ASD) intelligence agency said technical information on smart bombs, the Joint Strike Fighter, the Poseidon maritime patrol aircraft and several naval vessels was stolen.

“The compromise was extensive and extreme,” said the official, Mitchell Clarke, in an audio recording made by a ZDNet journalist and broadcast by the ABC.

Clarke said the attacker accessed the small contractor’s systems for five months in 2016, and the “methodical, slow and deliberate,” choice of target suggested a nation-state actor could be behind the raid.

Australia has agreed to buy 72 Lockheed Martin Corp Joint Strike Fighter planes.

A spokesman for the Australian Cyber Security Centre (ACSC), a government agency, said the government would not release further details about the cyber attack.

The ACSC said in a report on Monday that it responded to 734 cyber attacks on “systems of national interest” for the year ended June 30, and the defense industry was a major target.

The attack on the defense contractor was carried out by a “malicious cyber adversary”, it said.

In 2016 the agency said it responded to 1,095 cyber attacks over an 18-month period, including an intrusion from a foreign intelligence service on the weather bureau.

(Reporting by Tom Westbrook; Editing by Stephen Coates)

North Korea hackers stole South Korea-U.S. military plans to wipe out North Korea leadership: lawmaker

The North Korea flag flutters next to concertina wire at the North Korean embassy in Kuala Lumpur, Malaysia March 9, 2017. REUTERS/Edgar Su

By Christine Kim

SEOUL (Reuters) – North Korean hackers stole a large amount of classified military documents, including South Korea-U.S. wartime operational plans to wipe out the North Korean leadership, a South Korean ruling party lawmaker said on Wednesday.

Democratic Party representative Rhee Cheol-hee said 235 gigabytes of military documents were taken from the Defense Integrated Data Center in September last year, citing information from unidentified South Korean defense officials.

An investigative team inside the defense ministry announced in May the hack had been carried out by North Korea, but did not disclose what kind of information had been taken.

Pyongyang has denied responsibility in its state media for the cyber attacks, criticizing Seoul for “fabricating” claims about online attacks.

Separately on Wednesday, cyber security firm FireEye said in a statement North Korea-affiliated agents were detected attempting to phish U.S. electric companies through emails sent in mid-September, although those attempts did not lead to a disruption in the power supply.

It did not specify when the attempts had been detected or clarify which companies had been affected.

Rhee, currently a member of the National Assembly’s committee for national defense, said about 80 percent of the hacked data had not yet been identified, but that none of the information was expected to have compromised the South Korean military because it was not top classified intelligence.

Some of the hacked data addressed how to identify movements of members of the North Korean leadership, how to seal off their hiding locations, and attack from the air before eliminating them.

Rhee said the North could not have taken the entire operation plans from the database because they had not been uploaded in full.

These plans had likely not been classified properly but defense ministry officials told Rhee the hacked documents were not of top importance, he said.

“Whatever the North Koreans took, we just need to fix the plans,” Rhee later told Reuters by telephone. “I disclosed this because the military hasn’t been doing that fast enough.”

SIMPLE MISTAKE

Rhee said on radio the hack had been made possible by “a simple mistake” after a connector jack linking the military’s intranet to the internet had not been eliminated after maintenance work had been done on the system.

The South Korean Defense Ministry’s official stance is that they cannot confirm anything the lawmaker said about the hacked content due to the sensitivity of the matter.

In Washington, the Pentagon said it was aware of the media reports but would not comment on the potential breach.

“Although I will not comment on intelligence matters or specific incidents related to cyber intrusion, I can assure you that we are confident in the security of our operations plans and our ability to deal with any threat from North Korea,” Pentagon spokesman Colonel Robert Manning told reporters.

FireEye said the phishing attack on the electric companies detected was “early-stage reconnaissance” and did not indicate North Korea was about to stage an “imminent, disruptive” cyber attack. The North has been suspected of carrying out similar cyber attacks on South Korean electric utilities, in addition to other government and financial institutions.

Those attempts were likely aimed at creating a means of “deterring potential war or sowing disorder during a time of armed conflict”, FireEye said.

“North Korea linked hackers are among the most prolific nation-state threats, targeting not only the U.S. and South Korea but the global financial system and nations worldwide,” its statement said.

“Their motivations vary from economic enrichment to traditional espionage to sabotage, but all share the hallmark of an ascendant cyber power willing to violate international norms with little regard for potential blowback,” it said.

(Reporting by Christine Kim in SEOUL and Ishita Chigilli Palli in Bengaluru; Additional reporting by Idrees Ali in Washington; Editing by James Dalgleish, Michael Perry and Paul Tait)