Hackers Use Raspberry Pi for Bank Attack
In a bold move, hackers have planted a Raspberry Pi equipped with a 4G modem within the network of an unspecified bank, aiming to exploit the bank’s ATM system. Security firm Group-IB reported this groundbreaking tactic, stating that it allowed attackers to bypass all perimeter defenses.
Using a technique known as a Linux bind mount, the malware used by the hackers concealed itself effectively, akin to a rootkit, which masks its presence from the operating system. This maneuver was the first of its kind seen employed by cybercriminals according to the researchers.
End goal: Backdooring the ATM switching network
The Raspberry Pi was strategically integrated into the same network switch as the bank’s ATM system, providing it direct access to the internal network. The ultimate target was to compromise the ATM switching server to manipulate the bank’s hardware security module. This module is a tamper-proof device responsible for storing sensitive information and executing encryption operations.
Identified as UNC2891, the cybercriminal group has wreaked havoc in the banking sector since 2017, known for using bespoke malware targeting Linux, Unix, and Oracle Solaris systems. According to Google’s Mandiant division, this group had embedded itself unnoticed in networks for years, perpetrating unauthorized cash withdrawals using fraudulent cards through a custom rootkit called CakeTap on Solaris systems.
Recent findings by Group-IB confirm the continuation of UNC2891’s sophisticated attack methods. The group deployed a Raspberry Pi device, equipped with a 4G modem, physically inside a bank’s network, facilitating remote access via mobile data. To ensure sustained access, UNC2891 also breached a consistently connected mail server. The Raspberry Pi and mail server backdoor communicated via the bank's central monitoring server, which had broad server access within the data center.
Initially during the investigation, anomalies were detected on the monitoring server, such as frequent beaconing signals. Despite forensic analysis tools failing to identify processes causing these signals, memory captures managed to spot the `lightdm`, a seemingly legitimate process but situated in atypical locations. It was later identified that the attackers altered the naming to resemble authentic processes, misleading analysts.
These masked processes disguised their operations using the Linux bind mount technique, a tactic recognized and added to the MITRE ATT&CK framework under “T1564.013 – Hide Artifacts: Bind Mounts." Despite not achieving their ultimate aim—the deployment of the CakeTap backdoor—the assault was intercepted and ceased.
