CAKETAP sends this stored verification message to the HSM to trick it into allowing a fraudulent transaction by sending the stored message. On the other hand, when a regular ATM user uses a valid card on an affected ATM, CAKETAP stores the verification message from a valid transaction, which essentially says that the card is not fraudulent, and forwards it to the HSM, allowing for routine transactions to continue uninterrupted. This, in turn, creates a valid response from the HSM. When threat actors use a fraudulent card on an affected ATM, CAKETAP alters card verification messages to disable card verification. Banks use this tamper- and intrusion-proof hardware component to generate, manage, and validate cryptographic keys for PINs, magnetic stripes, and EMV chips. This rootkit can conduct fraudulent bank transactions by intercepting specific messages-card and PIN verification messages-sent to the ATM system's Payment Hardware Security Module (HSM). It removes itself from a list of loaded modules on execution and updates data in the last_module_idfunction to reflect data from a previously loaded module. It hides network connections, processes, and files. This rootkit is a Unix kernel module that performs several malicious tasks to aid attackers-Mandiant tracks it as UNC2891 (aka LightBasin)-in conducting fraudulent ATM transactions.ĬAKETAP has an impressive list of stealth capabilities to hide its presence and activities. Recently, a new rootkit, which the Mandiant Advanced Practices team have named CAKETAP, was found targeting Oracle Solaris systems running on ATM switch servers. Malware can be plantedat the ATM's PC or its network, or attackers could launch a Man-in-the-Middle (MiTM)attack. ![]() It's not unusual to hear about malware created to affect automated teller machines (ATMs).
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |