Sign in Subscribe
Cybersecurity

Hackers Plant 4G-Enabled Raspberry Pi in Bank Network

Hackers Plant 4G-Enabled Raspberry Pi in Bank Network

A recent cybersecurity incident reveals how hackers leveraged a Raspberry Pi device with a 4G modem to penetrate the network of a bank. This sophisticated attack was aimed at accessing the bank's ATM system to extract funds.

Security firm Group-IB detailed the tactics, describing them as "unprecedented" due to the ability to bypass typical security measures. The attackers used remote access malware camouflaged with IT techniques not traditionally employed by hackers, enabling it to act like an elusive rootkit.

The Raspberry Pi device was strategically connected to a network switch processing ATM transactions, granting the hackers positions within the bank’s internal network. Their primary aim was to take over the ATM's switching server, manipulating the bank's hardware security module which handles credential storage and encryption functions.

The group carrying out this breach is tracked in the cybersecurity realm as UNC2891, a threat actor notorious for targeting financial entities since at least 2017 with a history of deploying custom malware on various operating systems.

In prior analyses by Google's Mandiant, UNC2891 maintained years-long unnoticed presence within networks and developed custom rootkits like CakeTap to interfere with ATM operations for unauthorized transactions.

Further, the mishap saw the mail server being compromised to bolster persistence, facilitating covert communications between the Raspberry Pi and backdoor systems by using the bank's monitoring server.

While initially investigating, odd patterns in network behavior led Group-IB to detect outbound communications that evaded initial forensic analysis. Upon deeper inspection, they identified a masqueraded process labeled ‘lightdm’, exposing the malware’s clever disguise to sidestep detection.

Group-IB’s findings have led to updates in the MITRE ATT&CK framework, acknowledging the use of cutting-edge tactics like the Linux bind mount method to obscure malicious processes.

The intrusion was detected prior to the completion of the planned theft, halting UNC2891 before they could embed their CakeTap backdoor into the ATM system.

Read next