In Search of Riches: Hackers Plant 4G-Enabled Raspberry Pi in Bank Network
In a daring attempt to siphon money from a financial institution, hackers implanted a Raspberry Pi with a 4G modem into the network of an unnamed bank. This incident, disclosed by security researchers at Group-IB, marks a significant breach of the bank’s defenses allowing attackers to bypass its perimeter security entirely.
The method involved a physical intrusion combined with remote access malware, utilizing a novel technique to conceal itself even from sophisticated forensic tools. Known as a Linux bind mount, this technology, typically used in IT administration, had its first known usage by hackers here, acting similar to a rootkit by hiding malware from the operating system.
End Goal: Backdooring the ATM Switching Network
The planted Raspberry Pi was connected to the same network switch used by the bank’s ATM system, effectively placing it within the bank's internal network. The hackers’ objective was to compromise the ATM switching server and manipulate the bank’s hardware security module, a device used to store sensitive information like credentials and digital signatures, and manage encryption functions.
The attack is attributed to a group labeled as UNC2891, a financially driven threat actor active since at least 2017, known for targeting banks using custom malware on Linux, Unix, and Oracle Solaris systems. Google’s Mandiant division had previously identified this group’s activities, noting their skill in remaining undetected for long periods, including the use of custom tools like "CakeTap" to manipulate ATM networks for unauthorized cash withdrawals.
Despite these efforts, Group-IB’s recent report highlights the group’s continued operations, showcasing new advancements in infiltrating banking networks undetected. Nam Le Phuong, a Senior Digital Forensics and Incident Response Specialist at Group-IB, noted the uniqueness of physically accessing the bank to install a Raspberry Pi. The device, with a 4G modem linked to mobile data, provided a remote access point to the bank's internal systems.
For persistence, UNC2891 compromised a mail server with constant internet connectivity. The Raspberry Pi and the backdoored mail server communicated through the bank’s monitoring server, which had extensive access within the data center. Initially, Group-IB detected unusual activity such as frequent outbound signals and diligent connection attempts during their investigation on the monitoring server.
These activities involved communication with a Raspberry Pi and the mail server, yet forensic tools struggled to identify the malicious processes due to their adept obfuscation by the hackers. The process, assumed to be legitimate LightDM activity, was later discovered to be a cleverly disguised backdoor aimed at avoiding detection.
“The backdoor process is deliberately obfuscated by the threat actor through the use of process masquerading,” explained Nam Le Phuong. “To enhance the deception, the process mimicked legitimate parameters.”
The Linux bind mount technique used was subsequently included in the MITRE ATT&CK framework as “T1564.013 – Hide Artifacts: Bind Mounts.” While the exact location of the compromised switching equipment and the method used to plant the Raspberry Pi remain unclear, the attack was halted before UNC2891 could fully execute their plan to infect the ATM network with their sophisticated "CakeTap" backdoor.
