Weekly Threat Report 28th October 2016

Created:  31 Oct 2016
Updated:  31 Oct 2016
This report is drawn from recent open source reporting

Malware-infected ATMs compromise Indian debit cards

Indian media have reported that 3.2 million debit cards may have been compromised by ATM malware in what has been described as the “biggest ever cyber security breach” in the Indian banking sector. The Economic Times reported that debit cards belonging to large banks such as the State Bank of India (SBI), HDFC Bank, Yes Bank and ICICI Bank may have been compromised.

Although some reports indicate that the breach may have occurred in Hitachi Payment Services systems, this has not been confirmed. The National Payments Council of India (NPCI) has launched a forensic audit on Indian bank servers and systems in order to establish the origin of the attack. In addition, the State Bank of India has re-issued 600,000 of its debit cards, and other banks have recommended that customers reset their PINs. 

The compromise follows a recent report by Kaspersky Lab indicating that ATM machines were vulnerable due to their outdated communication standards. The report highlighted that 95% of the world’s ATMs, including many in the UK, run on the now unsupported Windows XP. However, as most ATMs in the UK connect to their Bank Driving Software using a Virtual Private Network (VPN) and run hardened versions of Windows, this makes them harder to exploit.

We assess that whilst this is not the first time that ATMs have been targeted, the use of malware as an attack vector has been significantly less common than physical attacks using external skimmers and cameras that copy a victim’s PIN. The apparent success of this attack may therefore encourage other criminals to move away from physical attacks to cyberattacks on ATMs.

Pager Vulnerabilities in ICS

Much has been written about the vulnerabilities in Industrial Control Systems (ICS), which operate many critical processes and services, such as electricity generation and water treatment.  Many publications have focused on the dangers of exposing ICS to the internet, but Trend Micro has recently published a research paper about the widespread use of unsecured, wireless pagers in ICS environments. Trend Micro's research involved collecting pager messages using software-defined radio (SDR) and a USB dongle. During a four month period, Trend Micro claim to have observed messages containing information about malfunctioning critical systems, a large quantity of messages sent by a Supervisory Control and Data Acquisition (SCADA) system, and over a thousand email addresses from the email-to-pager gateway of a large defence contractor.

This information would be useful to hackers by providing them with information about critical systems useful for attack planning; names, email addresses and other targeting information useful for spearphishing campaigns; and information which could be used to spoof pager messages. Trend Micro noted that it was "trivial to inject counterfeit messages into the paging systems" they had monitored.

The NCSC believes pagers are not in widespread use in UK ICS environments. However, there are still lessons to be learned for the UK sector: it is important that security leaders of industrial organisations think carefully about all methods of communication used in these settings, not just internet connections.


The main headline this week is the so-called ’Dirty COW’ elevation of privilege vulnerability [CVE-2016-5195], affecting Linux distributions going back 10 years. NCSC recommend patching this as soon as possible. An NCSC advisory was issued on 25 October 2016. 

The content management system Joomla! released a new version to address critical vulnerabilities.

A large number of updates were provided by Apple this week, fixing critical vulnerabilities across OS X, Safari and iOS. VMware released updates for VMware Tools and VMware Fusion running on OS X. Mozilla provided an update for their Firefox browser, to fix remote code execution bugs amongst others. There were also updates from Cisco, HPE, IBM and Palo Alto to fix a range of vulnerabilities. There were also updates to OpenSSL, OpenSSH and BIND.


Please log in to CiSP for more information on all of these issues. Register now at

Was this report helpful?

We need your feedback to improve this content.

Yes No