Executive Summary
In 2025, the FBI reported a significant surge in ATM 'jackpotting' attacks across the United States, with over 700 incidents leading to more than $20 million in losses. These attacks involve cybercriminals exploiting physical and software vulnerabilities in ATMs to deploy malware, such as Ploutus, which forces machines to dispense cash without legitimate transactions. Attackers often gain access using generic keys to open ATM panels, then install malware that manipulates the ATM's operating system to execute unauthorized cash withdrawals. (techcrunch.com)
This trend underscores the evolving tactics of cybercriminals who blend physical intrusion with sophisticated malware to exploit financial systems. The rise in such attacks highlights the urgent need for financial institutions to enhance ATM security measures, including updating software, implementing robust physical security protocols, and educating staff on emerging threats to prevent substantial financial losses and maintain customer trust.
Why This Matters Now
The escalation of ATM jackpotting attacks in 2025, resulting in over $20 million in losses, signals a critical vulnerability in financial infrastructure. Immediate action is required to fortify ATM security against these sophisticated cyber-physical threats to protect assets and maintain public confidence.
Attack Path Analysis
Attackers gained physical access to ATMs, installed malware to escalate privileges, moved laterally within the ATM's software, established command and control, exfiltrated cash, and caused financial impact.
Kill Chain Progression
Initial Compromise
Description
Attackers gained physical access to ATMs using generic keys and installed malware via USB ports.
Related CVEs
CVE-2020-10124
CVSS 7.1NCR SelfServ ATMs running APTRA XFS 05.01.00 do not encrypt, authenticate, or verify the integrity of messages between the BNA and the host computer, allowing an attacker with physical access to execute arbitrary code.
Affected Products:
NCR APTRA XFS – 05.01.00
Exploit Status:
exploited in the wildCVE-2020-10126
CVSS 7.6NCR SelfServ ATMs running APTRA XFS 05.01.00 do not properly validate software updates for the BNA, enabling an attacker with physical access to execute arbitrary code with SYSTEM privileges.
Affected Products:
NCR APTRA XFS – 05.01.00
Exploit Status:
exploited in the wildCVE-2020-10125
CVSS 7.6NCR SelfServ ATMs running APTRA XFS 04.02.01 and 05.01.00 use 512-bit RSA certificates, allowing attackers with physical access to break the encryption and sign arbitrary files, bypassing application whitelisting.
Affected Products:
NCR APTRA XFS – 04.02.01, 05.01.00
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Techniques identified for SEO/filtering; full STIX/TAXII enrichment to follow.
Exploitation for Client Execution
Application Layer Protocol: Web Protocols
Command and Scripting Interpreter: PowerShell
Adversary-in-the-Middle
Multi-Factor Authentication Interception
Boot or Logon Autostart Execution
Indicator Removal on Host
Data Manipulation
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Multi-Factor Authentication for All Access to the Cardholder Data Environment
Control ID: 8.4.2
PCI DSS 4.0 – Disk-Level Encryption Not Acceptable for PAN Protection
Control ID: 3.5.1.2
PCI DSS 4.0 – Wireless Access Restrictions
Control ID: 11.2
PCI DSS 4.0 – Access Control Policies and Procedures
Control ID: 7.2
PCI DSS 4.0 – Security Awareness and Training
Control ID: 12.6
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Banking/Mortgage
Primary target for ATM malware attacks causing $20M losses; requires enhanced egress security, threat detection, and zero trust segmentation for financial infrastructure protection.
Financial Services
Critical exposure to jackpotting malware attacks on cash dispensing systems; needs comprehensive threat anomaly response and encrypted traffic controls for transaction security.
Retail Industry
Vulnerable through in-store ATM installations and payment systems; requires multicloud visibility, intrusion prevention, and policy enforcement to prevent cash machine compromises.
Computer/Network Security
Must develop advanced detection capabilities for ATM malware variants; stakeholders need cloud-native security fabric and threat intelligence solutions for financial sector clients.
Sources
- FBI: Over $20 million stolen in surge of ATM malware attacks in 2025https://www.bleepingcomputer.com/news/security/fbi-over-20-million-stolen-in-surge-of-atm-malware-attacks-in-2025/Verified
- NCR SelfServ ATM APTRA XFS Unencrypted BNA Communication Allows Physical Code Execution and Deposit Forgeryhttps://www.cvedetails.com/cve/CVE-2020-10124/Verified
- NCR SelfServ ATM APTRA XFS BNA Update Process Allows Arbitrary Code Execution via Unsigned CAB Files with Physical Accesshttps://www.cvedetails.com/cve/CVE-2020-10126/Verified
- NCR SelfServ ATM Encryption Vulnerabilityhttps://www.clouddefense.ai/cve/2020/CVE-2020-10125Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this ATM malware incident as it could have constrained the attacker's ability to escalate privileges, move laterally within the ATM's software, establish command and control, and exfiltrate cash, thereby reducing the overall impact.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: While physical access was achieved, CNSF could have limited the malware's ability to communicate with external command and control servers, reducing the attack's effectiveness.
Control: Zero Trust Segmentation
Mitigation: Zero Trust Segmentation could have constrained the malware's ability to escalate privileges by enforcing strict access controls, thereby limiting unauthorized access.
Control: East-West Traffic Security
Mitigation: East-West Traffic Security could have limited the malware's ability to move laterally within the ATM's software, thereby reducing the attack's reach.
Control: Multicloud Visibility & Control
Mitigation: Multicloud Visibility & Control could have constrained the establishment of remote command channels, thereby limiting the attacker's control over the ATMs.
Control: Egress Security & Policy Enforcement
Mitigation: Egress Security & Policy Enforcement could have limited the malware's ability to transmit sensitive information externally, thereby reducing the attack's impact.
While physical cash exfiltration occurred, the implementation of CNSF controls could have reduced the overall impact by limiting the attacker's ability to escalate privileges, move laterally, and establish command channels.
Impact at a Glance
Affected Business Functions
- ATM Cash Dispensing
- Transaction Processing
- Customer Account Management
Estimated downtime: N/A
Estimated loss: $20,000,000
n/a
Recommended Actions
Key Takeaways & Next Steps
- • Implement physical security measures to prevent unauthorized access to ATMs.
- • Regularly audit ATM software for vulnerabilities and apply necessary patches.
- • Deploy intrusion detection systems to monitor for unauthorized commands.
- • Establish strict access controls and authentication mechanisms for ATM maintenance.
- • Conduct regular security training for personnel to recognize and respond to threats.
