As cybercriminals continue to innovate, the physical and digital worlds collide with devastating effect. A recent FBI Flash alert has put the financial sector on high notice: ATM jackpotting attacks have resulted in over $20 million in losses in 2025 alone. This is not merely a statistic; it represents a sophisticated evolution of crime where attackers force ATMs to dispense cash on command, turning automated tellers into involuntary slot machines.
For Managed Security Service Providers (MSSPs) and financial institutions, this surge is a stark reminder that perimeter security is no longer enough. The threat is now hybrid—requiring a defense strategy that blends physical access controls with advanced digital threat hunting.
The Mechanics of a Modern Heist
Jackpotting is not a new concept, but the execution has matured significantly. In the past, attackers relied largely on software-based malware, such as the infamous Ploutus family, which infected the ATM's operating system via USB or the network. Once installed, the malware would issue commands directly to the dispenser mechanism (the cash cassettes), bypassing the transaction validation logic of the bank's core application.
However, the 2025 trend highlighted by the FBI indicates a shift toward "Black Box" attacks. This method often requires less technical sophistication regarding software exploitation and more regarding physical access.
Attack Vectors and TTPs:
- Physical Endoscope Access: Attackers use an endoscope—a medical device used for looking inside the body—to fish cables through the ATM's fascia and connect to internal USB ports without drilling visible holes.
- Black Box Interface: Once physical access is gained, attackers connect a rogue hardware device (the "black box") that sits between the ATM's PC core and the dispenser. This device mimics the legitimate commands the dispenser expects, tricking it into dispensing cash.
- Service Personnel Impersonation: Social engineering plays a critical role. Criminals often pose as HVAC technicians or third-party service providers to gain access to the ATM lobby without raising suspicion.
Detection and Threat Hunting
Defending against jackpotting requires monitoring for anomalies at the endpoint layer. Since these attacks involve physical interaction and unauthorized device connections, Security Operations Centers (SOCs) must hunt for specific indicators of compromise (IOCs) on ATM endpoints.
Below are detection strategies using KQL for Microsoft Sentinel/Defender and PowerShell for local auditing.
KQL Queries for Sentinel/Defender
Hunt 1: Detecting USB Device Creation on ATM Endpoints This query identifies when a USB storage device or interface is plugged into an ATM running Windows Embedded/10, which should not happen during normal operation.
DeviceEvents
| where ActionType == "UsbDriveMount" or ActionType == "DeviceConnected"
| where DeviceName contains "USB" or FriendlyName contains "USB"
| where Timestamp > ago(7d)
| project Timestamp, DeviceName, DeviceId, FolderPath, InitiatingProcessAccountName, InitiatingProcessFileName
| order by Timestamp desc
**Hunt 2: Anomalous Process Execution**
Jackpotting tools often run from the command line or require specific interactions with the XFS (eXtensions for Financial Services) middleware. We look for unsigned executables or scripts interacting with the msxfs.dll.
DeviceProcessEvents
| where Timestamp > ago(30d)
| where InitiatingProcessFileName in ("cmd.exe", "powershell.exe", "cscript.exe") or ProcessVersionInfoCompanyName == ""
| where ProcessCommandLine has "msxfs" or ProcessCommandLine has "dispenser"
| project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessFileName, FolderPath
| distinct ProcessCommandLine
PowerShell Script for Local Auditing
This script can be deployed via configuration management tools to ATM machines to scan for recent USB activity or unauthorized connected devices.
<#
.SYNOPSIS
Audit script to detect recent USB device connections on ATMs.
.DESCRIPTION
Checks system event logs for ID 2003/2004/2006 indicating USB storage insertion.
#>
$Date = (Get-Date).AddDays(-1)
$Events = Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-DriverFrameworks-UserMode/Operational'; ID=2003, 2004, 2006; StartTime=$Date} -ErrorAction SilentlyContinue
if ($Events) {
Write-Host "[ALERT] Unauthorized USB activity detected:" -ForegroundColor Red
foreach ($Event in $Events) {
Write-Host ("Time: " + $Event.TimeCreated + " | Message: " + $Event.Message)
}
} else {
Write-Host "[OK] No suspicious USB activity detected in the last 24 hours." -ForegroundColor Green
}
Mitigation Strategies
Stopping jackpotting requires a layered defense-in-depth approach. Patching alone is insufficient if the attacker can simply plug in a device.
- Secure Physical Access: Ensure ATM fascias are reinforced. Use anti-skimming solutions that include port locks or USB port blocking epoxy to prevent unauthorized connections.
- BIOS/UEFI Passwords: Enforce strict BIOS passwords to prevent booting from external media. Disable booting from USB ports entirely in the BIOS settings.
- Application Whitelisting (AppLocker): Implement strict application whitelisting policies via Group Policy or MDM. The ATM should only be able to run signed binaries required for operation. Any unsigned script or executable attempting to interact with
msxfs.dllshould be blocked. - Network Segmentation: Ensure ATMs operate on an isolated VLAN. They should not have direct internet access. Monitor strictly for traffic anomalies, such as outbound C2 beaconing or unexpected lateral movement to the ATM network.
Related Resources
Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.