Posted on August 15, 2023 at 3:03 AM

Researchers Detect Vulnerabilities On Iagona’s Fleet Monitoring Software

Researchers have detected multiple flaws within the ScrutisWeb ATM fleet monitoring software. The software in question was created by a Fintech company known as Iagona. The researchers said the software in question might have been exploited to trigger a remote hacking campaign on ATMs.

Iagona security flaws expose ATMs

The security vulnerability in question was detected by security researchers with the Synack Red Team. These researchers also noted that the vendor patched the security flaws in July 2023. The vendor fixed the bug following the launch of the ScrutisWeb version 2.1.38.

ScrutisWeb is a platform that supports organizations and allows them to use a web browser to monitor banking activity and retail ATM fleets. The software also will enable organizations to quickly address issues in their ATM fleets, which helps resolve most complaints while bolstering efficiency.

The solution in question can be used to monitor hardware, reboot and shut down terminals, send and receive files, and modify data through remote platforms. One of the key things to note about ATM fleets is that they can also feature check deposit machines and payment terminals within a restaurant chain.

The researchers said that four types of flaws had since been detected. The flaws in question are tracked as CVE-2023-3387, CVE-2023-38257, CVE-2023-35763, and CVE-2023-35189. The flaws contain various features that hackers can exploit to launch campaigns.

Security flaws can cause significant damage

The security vulnerabilities feature path traversal, hardcoded cryptographic keys, authorization bypass, and arbitrary file upload issues that hackers can exploit remotely. These hackers can infiltrate systems without being authenticated and cause significant damage.

The hackers behind this hacking campaign might also exploit these vulnerabilities to secure data from the server. The data secured includes the configurations, databases, and logs. The flaws can also run arbitrary commands while receiving encrypted administrator passwords and decrypting them through a hardcoded key.

According to these security researchers, the hacker can also use the vulnerabilities to access the ScrutisWeb management console as an administrator. They can also monitor the activities of the ATMs connected to the network.

The other functions that the hackers can handle by exploiting the flaws include supporting the management mode on user devices, uploading different files, rebooting, and powering off the consoles. Such hacking campaigns can significantly impact ATMs and an organization’s normal operations.

Hackers might also exploit the remote command execution flaw to hide traces of their hacking activity. The hackers can hide this activity by deleting the relevant files they exploited during the campaign. As such, it becomes challenging for any security systems that have been put in place by the targeted organization to detect the exploit.

One of the researchers that partook in the research said that there was a likelihood that more exploitation from the foothold within the client’s infrastructure might happen. In this case, it results in an internet-facing pivot point for the threat actor. As such, the hackers that exploit these flaws to cause a breach might remain embedded within the targeted system.

Graves also noted that additional investigation was necessary to check whether the hackers might conduct other malicious activities, such as exfiltrating the bank card data and redirecting transactions like those made on the Swift transfer system.

Graves states, “Further examination would be required to determine if custom software could be uploaded to individual ATMs to perform bank card exfiltration, Swift transfer redirection, or other malicious activities. However, such additional testing was out of scope of the assessment.”

The US Cybersecurity and Infrastructure Security Agency (CISA) has already issued an advisory on the security flaws, saying that organizations needed to be aware of them and take measures to ensure they did not fall victim. CISA also noted that the affected product had a global presence, and a hacking campaign is bound to cause significant damage.

CISA has also recommended minimum network exposure for the control system devices and systems. Moreover, it is also vital to locate the control system networks and remote devices hidden behind firewalls and isolate the same from the business networks.

In cases where remote access is needed, CISA has urged organizations to rely on secure methods like Virtual Private Networks (VPNs), adding that such tools might contain security flaws and must be updated to the most recent version. Besides taking these measures, CISA has also urged organizations to conduct an impact analysis and risk assessment before employing defensive techniques.