When an attacker evaluates his next target, he would usually conduct a reconnaissance phase (assuming it’s not just a high-volume attack campaign). Once completed, the attacker will have a full “inventory list” of the security measures taken – vendors, versions etc., he can then decide to go “head-to-head” with those security products or follow Sun Tzu’s advice, realizing that Cyber security products are getting better (and stronger) in the protection they offer.
Following Sun Tzu’s guidelines pushes the attacker to find alternative options – and HW/FW vulnerabilities seems to be the weakest link. As shown on multiple cases, exploiting HID device vulnerabilities can bypass multiple security measures, and impersonate as a legitimate device, without having to confront all those security measures. Having difficulties accessing the internals of the ATM – why not go for the network interface, usually external, and less protected. Another option is to use supply chain, by infecting equipment, that is later introduced as spare parts that find their way into your infrastructure. The fight is unfair, but there is still a lot that we can do.