Researchers have investigated an unusual and sophisticated attack on an unnamed bank: Unknown hackers placed a Raspberry Pi with a 4G modem directly into the bank’s internal network. The aim was to gain access to the ATM switching system – the switching point that controls cash transactions.
Objective: Control over the ATM switching system
The mini-computer was connected to the same switch that supplies the bank’s ATMs. This gave the attackers a perfect starting position to target the hardware security module (HSM). This module is actually there to protect highly sensitive data such as PINs or digital signatures. Successful access would have meant: manipulation of transactions and unauthorized cash withdrawals.
UNC2891 – Professionals with a long history
The attacker group is known as UNC2891 and has been active since at least 2017. It specializes in targeted attacks against banks, particularly via Linux, Unix and Solaris systems.
Mandiant (Google) had already described the group in 2022 and uncovered its CakeTap rootkit. This manipulated transactions in the ATM network to enable fake withdrawals with compromised cards. Other in-house developments such as SlapStick and TinyShell are also known – all with a focus on invisible, long-term access.
How the attack worked
- Physical implantation
A Raspberry Pi with a 4G modem was installed unnoticed in the network. The mobile connection allowed the hackers to bypass all perimeter security (firewalls, IDS, VPNs).
- Persistence through mail server
At the same time, they compromised an internal mail server. This had constant Internet access and served as an alternative backdoor in case the Raspberry device was removed.
- Monitoring server as an intermediate station
To further conceal their tracks, the attackers used the network monitoring server as a relay between the Raspberry Pi and the mail server. As this server had access to almost all systems in the data center, it was an ideal springboard.
- Hide and seek: process camouflage & bind mounts
– The malware disguised itself as “lightdm” – a legitimate Linux display manager.
– With realistic-looking command line arguments, the process appeared credible.
– The attackers also used a previously undocumented technique in the cybercrime environment: Linux bind mounts. This allowed them to make processes in the file system invisible – similar to a rootkit.
– The technology has now been incorporated into the MITRE ATT&CK matrix.
- Detection through anomalies
– During the analysis, the researchers noticed beaconing from the monitoring server every 10 minutes.
– Forensic tools were initially unable to identify the processes. Only memory dumps revealed that “lightdm” was running in an unusual location – and was in fact a disguised backdoor.
Attack stopped before it became expensive
The attack was detected and neutralized in time – before the hackers were able to fully compromise the ATM switching system and install CakeTap. Nevertheless, the incident impressively demonstrates how physical vulnerabilities combined with unconventional techniques can jeopardize even highly secured banks.
How resilient is your company really?
The attack shows: Firewalls and anti-virus solutions alone are not enough. Physical access, hidden backdoors and new attack techniques can also pose a risk.
With our Security Health Check you receive a clear assessment of your current situation:
- Holistic analysis of your security situation
- Detection of vulnerabilities – digital and physical
- Concrete, prioritized measures for more protection
Source: www.arstechnica.com, image created by AI.