# When ransomware hits an ATM giant #### The Diebold Nixdorf case dissected # When ransomware hits an ATM giant #### The Diebold Nixdorf case dissected ----- ## Who am I? ### Frank Boldewin - Executive Expert Security Operations & Defense at Fiducia & GAD IT AG - EAST EGAF + EPTF member - Reverser, Malware Researcher, Threat Intelligence dude - Focused on hunting APTs targeting the financial industry ### Fiducia & GAD IT AG - IT service provider for Germany‘s Cooperative Financial Network - Customers ~900 Volksbanken and Raiffeisenbanken, as well as numerous private Banks - Providing a range of IT solutions, IT infrastructure services and hardware products - Administering ~82 million banking accounts - ~34000 ATMs and self service terminals ----- ## Background story 1/2 ###  At the end of April 2020, Diebold Nixdorf, one of the world's largest ATM manufacturers experienced an IT outage of some of their services.  This included the company's homepage and some of its mail servers, which were temporarily unavailable. ----- ## Background story 2/2 ###  On May 11, 2020 Krebsonsecurity.com reported about a ransomware incident at Diebold Nixdorf.  Some key statements: ####  According to DN, the company‘s security team discovered a ransomware attack on April 25, 2020.  An investigation determined that the attackers installed the ProLock ransomware.  The incident did not affect the ATMs customers networks or the general public and its impact was not material to their business.  DN informed their customers about the situation and how they addressed it. Source: https://krebsonsecurity.com/2020/05/ransomware-hit-atm-giant-diebold-nixdorf/ ----- ## Risk situation from customers perspective 1/2 ###  Unfortunately, the detail level in the blog post was not comprehensive enough to adequately clarify the question of how the attacks could spread to the company's own IT infrastructure.  Due to the increasing number of supply chain attacks in the last three years, the risk situation in the financial sector has also changed significantly.  Manufacturer This has led us to consider some worst-case scenarios which were already observed in the wild in a similar form. ----- ## Risk situation from customers perspective 2/2 ###  Assuming threat actors successfully implemented a sophisticated backdoor in the manufacturer’s ATM sources, they could gain unauthorized access to all devices on which the modified code has been deployed.  Furthermore, stolen credentials typically intended for customer support access, Manufacturer could also lead to attacker opportunities. ----- ## How the investigation started 1/3 ###  Looking for more details about the perpetrators, their actions and objectives, Fiducia & GAD conducted its own investigation to better understand the risk situation.  A specific search on the Virustotal resulted in two documents that were uploaded at the beginning of May 2020. ----- ## How the investigation started 2/3 ###  Inspecting the file with hash 5267cc… reveals information about its origin, its creator and another editor of the document.  In addition, there is also the date of initial creation on April 28, 2020 and the date of the last editing on May 1, 2020. ----- ## How the investigation started 3/3 #####  The document was uploaded from Slovakia by an unknown user.  Based on the DN job openings (as of May 2020) available in that country, it is reasonable to assume that an incident response analyst from the Security Operations Center decided to scan the file for viruses before execution and uploaded it to Virustotal.  An OpSec failure unfortunately occurring quite often, even among people with security know-how. ----- ## Examination of the document content 1/2 #### (hash 5267cc…) ###  The forensic traces confirm the statements on Krebsonsecurity.com that files were encrypted with the ProLock ransomware.  Another interesting IOC is the reference to a Qakbot payload.  On May 4, 2020 the FBI issued a security alert reporting the ProLock gang gains initial access to victim networks via the Qakbot trojan since March 2020.  Files such as rdp.bat, Psexec.exe and adfind.exe were likely used for lateral movement to gain access to the domain controller or other interesting targets. ----- ## Examination of the document content 2/2 #### (hash 5267cc…) ###  In addition to the Qakbot sample, the payload domain can also be  found in the IOC document sollight.com[.]hk  Apparently, IP addresses of the range 172.x.x.x also showed malicious activity, which will be discussed later. ----- ## Infection timeline ####  A Netflow analysis of the Qakbot payload domain sollight.com[.]hk reveals a top talker with a source IP 208.87.12.248 (belonging to Diebold- Nixdorf US).  As the chart illustrates the communication to the C2 has been terminated on April 26, 2020 after the company's employees noticed the attack and disconnected systems from their network to contain the spread of the malware. This coincides with the statements in the report on Krebsonsecurity.com ----- ## Reconstructed infection process ----- ## Malicious file analysis #### Operating Agreement_1.doc ##### Compressed OLE stream containing obfuscated malicious macro code ##### Deobfuscated macro code reveals PowerShell script downloading and executing the Qakbot payload. ----- ## Payload staging ##### Based on the 172.x.x.x IP addresses from the IOC report, payloads were identified involved in the attack. For staging purposes attackers spawned a PowerShell script on infected systems, which in turn applies a Cobalt Strike shellcode. ----- ## ProLock Ransomware installation process 1/3 #### There are usually 4 files involved in the installation of the ProLock ransomware: #####  run.bat  WinMgr.xml  clean.bat  WinMgr.bmp #### Filenames can vary, e.g. next to .BMP files also other formats have been spotted itw.  Diebold-Nixdorf case A fake .DIB file, which is preceded by a random 8-character name, e.g. 8A67B05B.dib, as the IOC report reveals. The file Run.bat is used to install a scheduled task on the Windows target systems. ----- ## ProLock Ransomware installation process 2/3 ### Schtasks.exe parses the configuration data from the file WinMgr.xml and then executes clean.bat. Clean.bat then executes a Base64-encoded PowerShell script. … ----- ## ProLock Ransomware installation process 3/3 ####  The decoded PowerShell script then reads the content of WinMgr.bmp  At first sight it appears to be a legitimate image file, but at a certain position the file contains the actual ProLock Ransomware shellcode, which the PowerShell script reads and then executes in memory. ----- ## Runtime decryption #### ProLock decrypts suspicious strings at runtime, trying to stay under the radar as long as possible. ----- ## YARA rule to detect ProLock #### https://raw.githubusercontent.com/fboldewin/YARA-rules/master/Prolock.Malware.yar ----- ## Conclusion ###  Ransomware attacks have increased massively in the last two years, and the success rate even at large companies illustrates how sophisticated and professional the perpetrators operate to reach their goal.  If companies become victims of such an attack, a quick response is essential before the attackers can encrypt systems and/or exfiltrate sensitive data.  Keeping in mind that supply chain attacks are a growing threat, affected companies should provide customers with as much as information as possible, including TTPs, IOCs and recommendation for actions.  Gaining threat intelligence can help to get more insights even without having first hand information. ----- ## The end ### Thanks to @Cocaman for exchanging ideas! Acknowledgement to Diebold Nixdorf for being cooperative after sharing my analysis with them, which allowed us to get further insights into their internal DFIR process of this case. -----