Hackers Plant 4G-Enabled Raspberry Pi to Breach Bank Network

In a daring cyberattack, hackers have infiltrated a bank's network by embedding a Raspberry Pi powered by a 4G modem. This audacious method was designed to siphon funds from the bank's ATM system, as reported by security researchers.

The team at Group-IB noted that this tactic of positioning a Raspberry Pi not only sidestepped all perimeter defenses but also paired with sophisticated malware that remained hidden even from advanced forensic tools. The malware utilized a technique called a Linux bind mount, common in IT but never before seen in cyber threats, allowing the software to disguise itself, much like a rootkit would.

Targeting ATM Networks

The cleverly placed Raspberry Pi was installed into the same network switch that managed the bank's ATM system. The overarching target was to infiltrate the ATM switching server, gaining control over the bank’s hardware security module, which plays a crucial role in encrypting and decrypting sensitive credentials.

The group, referred to in the cybersecurity community as UNC2891, orchestrated the operation. Known for their expertise since 2017, they specialize in crafting custom malware to penetrate systems based on Linux, Unix, and Oracle Solaris.

Back in 2022, Google's Mandiant team had highlighted UNC2891's infiltration tactics, reporting on their presence within a network for years without detection. Mandiant identified several malware strains in use, such as CakeTap, which tampered with ATM network communications to facilitate unauthorized cash withdrawals.

Group-IB’s recent findings illustrate that UNC2891 continues to advance their techniques, employing direct physical access by installing Raspberry Pi devices, now with 4G connectivity, enabling remote exploitation over mobile networks.

Furthermore, UNC2891 had compromised a mail server for its reliable internet connectivity. This allowed communication between the Raspberry Pi and the mail server via the bank's network monitoring server, chosen for its extensive access throughout the data center.

The monitoring server exhibited unusual behavior, alerting Group-IB researchers with an outbound beacon every ten minutes. Further forensic investigation revealed that the issues emanated from both a Raspberry Pi and the compromised mail server, although the specific initiating processes evaded initial detection.

Upon capturing memory snapshots during beaconing attempts, researchers identified an active process named 'lightdm', similar to the legitimate LightDM display manager. But its unusual installation location raised suspicions.

Deeper analysis uncovered that malicious processes were masqueraded to look legitimate, a deception tactic that obfuscated their true purpose. The disguise involved naming the malware after real processes and mimicking valid command-line arguments.

These revelations have since been added to the MITRE ATT&CK framework to better understand and counter such threats.

Fortunately, the attack was halted before the ATM network could be infested with the CakeTap backdoor, confirming UNC2891's continued evolution in threat sophistication.