Hacking the Bank: Raspberry Pi Plants and Foils Security Systems

In a daring cybercriminal plot, hackers successfully embedded a Raspberry Pi equipped with a 4G modem into the network of an unnamed bank, aiming to siphon funds from its ATM system. This case demonstrates an exceptional level of complexity and innovation in bypassing the bank's traditional perimeter defenses, as reported by Group-IB, a leading cybersecurity firm.

The attackers developed a strategy that combined physical infiltration with remote access malware, utilizing a pioneering technique previously unseen in malicious hacking—specifically, a Linux bind mount. This approach enabled the malware to camouflage itself similarly to a rootkit, which typically masks its presence from the operating system.

By connecting the Raspberry Pi to the network switch in the bank's ATM system, hackers managed to infiltrate deep within the internal network. Their ultimate target was compromising the ATM switching server, allowing them to control the bank's hardware security module. This module safeguards critical secrets like credentials and encryption functions.

The operation is attributed to a notorious hacking group known as UNC2891, which has been active since at least 2017, specifically targeting bank infrastructures. The group has gained a reputation for employing custom malware to exploit Linux, Unix, and Oracle Solaris systems.

In recent years, Google's Mandiant division highlighted UNC2891's capability to sustain long-term unnoticed exploits within victimized networks. The division uncovered a custom rootkit, dubbed CakeTap, which manipulated messages over the ATM network, suggesting the use of fraudulent bank cards for illicit withdrawals.

Group-IB detected the attack while evaluating unusual activities on the bank’s network monitoring server, such as repeated outbound beacons every 10 minutes. Their forensic tools identified a Raspberry Pi and a mail server as endpoints in communication. Yet, they could not ascertain the running process responsible for these transmissions until a closer inspection revealed a masked process appearing as a legitimate display manager named LightDM.

Additionally, the attack involved utilizing a mail server to maintain connectivity and access to the bank's monitoring server, effectively making it a covert communication medium. The masquerading process was using Linux bind mounts to evade detection, an evasion method now recognized in cybersecurity frameworks.

Despite UNC2891's advanced tactics, their mission was halted before successfully embedding the CakeTap rootkit into the ATM network. The innovative use of physical access to place the Raspberry Pi was particularly alarming, illustrating a growing trend among cybercriminals seeking direct hardware access.

This incident serves as a stark reminder of the evolving techniques employed by sophisticated threat actors and highlights the importance of robust network security measures to safeguard against such infiltrations.