Hacker Exploits: 4G-enabled Raspberry Pi in Bank Networks
Hackers have taken an audacious step forward in bank infiltration, deploying a Raspberry Pi equipped with a 4G modem into the network of an undisclosed financial institution. This strategic move was part of an elaborate plan to extract funds directly from the bank's ATM system, as detailed in a report by cybersecurity experts at Group-IB.
The Group-IB report highlights, "This unprecedented tactic enabled attackers to completely bypass conventional security protocols." Utilizing physical access, hackers integrated malware capable of remote operations, hidden from even the most advanced forensic tools. A novel technique called a Linux bind mount, although common in IT administration, was ingeniously repurposed by hackers to behave like a rootkit, effectively concealing their presence from system operations.
Breaking into the bank’s internal network, the Raspberry Pi was linked to the same server controlling ATM switches. The main objective was to gain control of the ATM switching network and exploit the bank’s hardware security module. This module is crucial for safeguarding sensitive data like digital signatures and encryption keys.
Involved in this hack is the notorious group UNC2891, identified for creating chaos in the banking sector since 2017. Known for utilizing custom-made malware, UNC2891 targets Linux, Unix, and Oracle Solaris systems, showing advanced adaptability and technical skills.
Google’s Mandiant division previously noted UNC2891’s stealthy infiltration techniques, especially in networks where they operated undetected for years. The group's arsenal includes CakeTap, a rootkit specifically designed for Solaris systems to manipulate ATM networks and aid in unauthorized withdrawals through fake bank cards.
Group-IB also points out that UNC2891 continues to evolve in complexity. They employed a unique method of direct physical infiltration by installing a Raspberry Pi, which used a 4G modem for remote access, directly interfacing with the ATM-connected network.
To maintain ongoing access, the hackers further compromised a mail server, ensuring constant Internet connectivity, and facilitated communication using the bank's network monitoring server. This server was chosen strategically because it could access every server in the data center.
During the investigation, Group-IB discovered unusual activity originating from the network’s monitoring server, identified through the consistent outbound beacons and attempts to connect with undiscovered devices. Using forensic tools, researchers pinpointed the source: a Raspberry Pi linked with the mail server, though the exact processes went unidentified.
The alertness of researchers led to identifying a process named 'lightdm' often linked to the legitimate LightDM display manager. Suspicion rose from its atypical installation location, unmasking its role as an altered process in the custom backdoor.
Phuong, a senior digital forensics specialist at Group-IB, explained that these backdoors actively established links between the Raspberry Pi and the mail server. 'Lightdm' and similar methods were unauthorized modifications intended to mislead standard post-breach investigations.
This discovery resulted in updating the MITRE ATT&CK framework with a new classification: “T1564.013 – Hide Artifacts: Bind Mounts.”
Fortunately, the attack intervention by the network's security team led to the detection and shutdown before the malware could further infiltrate the ATM switching network with CakeTap.
