Hackers Exploit Bank Network with Raspberry Pi

In a bold move that caught cybersecurity experts' attention, hackers employed a Raspberry Pi device equipped with a 4G modem within the network of a bank. This strategy aimed to illegally extract funds from the bank's ATM system, according to a report by security researchers at Group-IB.

The Group-IB researchers termed this approach 'unprecedented' as it completely bypassed the bank's perimeter defenses. The hackers merged this physical breach with remote access malware that ingeniously concealed itself using a technique previously unseen in cyberattacks. This technique, called Linux bind mount, served to hide the malware operationally, mimicking the elusive characteristics of rootkit malware.

The ultimate aim was to backdoor the ATM switching network. By connecting the Raspberry Pi to the network switch used by the ATM system, the attackers gained a strategic position within the bank's internal infrastructure. Their objective was to compromise the ATM switching server and subsequently manipulate the bank's hardware security module, which safeguards sensitive credentials and handles encryption processes.

The attack is attributed to the group known within cybersecurity circles as UNC2891. This financially motivated group has been active since 2017, often targeting bank systems with their custom-crafted malware, particularly against Linux, Unix, and Oracle Solaris platforms. Notably, Google's Mandiant division reported observing UNC2891 dwelling within a targeted network for years, mostly undetected, and identified malware such as CakeTap, known for altering ATM network messages for fraudulent activities.

Group-IB's findings highlight that UNC2891 continues to innovate ways to infiltrate banks discreetly. According to Group-IB's Senior Digital Forensics Specialist Nam Le Phuong, a standout tactic in this incident was the physical installation of a Raspberry Pi with a 4G modem, offering the hackers remote access via mobile data.

To ensure sustained access, the hackers compromised a mail server which provided continuous Internet connectivity. The Raspberry Pi and this mail server communicated through the bank's network monitoring server, chosen for its extensive connectivity to other servers in the data center.

Group-IB's investigation noticed unusual patterns on the monitoring server, including periodic beaconing and connection attempts to unknown devices. Forensic tools identified the Raspberry Pi and the mail server, although they struggled to pinpoint the exact processes involved, attributing them eventually to a disguised 'lightdm' process under further scrutiny.

This obfuscation technique, detailed by Phuong, involved masquerading the malicious processes to resemble legitimate ones, further circumventing detection. Following this, the use of Linux bind mount was added to the MITRE ATT&CK framework under the category "Hide Artifacts: Bind Mounts."

Thankfully, the attack was detected in time, averting UNC2891's aim of infecting the ATM network with the CakeTap malware. Nevertheless, the incident underlines the growing sophistication in cyberattack methods targeting financial institutions.