In a recent and sophisticated cyberattack, a financially motivated group identified as UNC2891 infiltrated banking infrastructure by physically installing a 4G-enabled Raspberry Pi device into an ATM network. This incident underscores the evolving tactics of cybercriminals who are now combining physical access with advanced anti-forensic techniques to compromise critical financial systems.
The Attack Methodology
The perpetrators gained unauthorized physical access to the bank’s internal network by connecting a Raspberry Pi directly to the same network switch as an ATM. This strategic placement allowed the device to operate within the bank’s internal network perimeter, effectively bypassing traditional security measures. Equipped with a 4G modem, the Raspberry Pi facilitated remote command-and-control operations via mobile data connections, circumventing standard network defenses.
To maintain persistent access, the attackers deployed a custom backdoor known as TINYSHELL. This backdoor established outbound communication channels through Dynamic DNS domains, enabling continuous external access to the compromised network. The use of mobile data connections allowed the attackers to avoid detection by conventional network monitoring systems.
Advanced Anti-Forensic Techniques
A notable aspect of this attack was the employment of a previously undocumented anti-forensic technique involving Linux bind mounts. This method effectively concealed malicious processes from detection tools, rendering standard forensic triage ineffective. The attackers deployed backdoors disguised as legitimate system processes named “lightdm,” mimicking the standard LightDM display manager found on Linux systems. However, these malicious binaries were located in atypical directories such as /tmp/lightdm and /var/snap/.snapd/lightdm, with command-line arguments designed to appear legitimate.
The use of bind mounts allowed the attackers to overlay malicious process directories with benign ones, effectively hiding the backdoors from conventional analysis methods. This technique has since been recognized by MITRE and cataloged in the ATT&CK framework as technique T1564.013 (Hide Artifacts: Bind Mounts).
Objective and Implications
The ultimate goal of UNC2891’s campaign was to deploy CAKETAP, a sophisticated rootkit designed to manipulate Hardware Security Module (HSM) responses and facilitate fraudulent ATM cash withdrawals. The malware was engineered to intercept card and PIN verification messages, enabling unauthorized transactions while maintaining the appearance of normal operations.
This attack highlights critical gaps in traditional forensic approaches. Initial triage failed to reveal the backdoors because they were hidden during system idle states, requiring memory forensics and continuous network monitoring to uncover the malicious activity.
Recommendations for Financial Institutions
In light of this incident, security experts recommend implementing several defensive measures:
1. Enhanced Physical Security: Banks should strengthen physical security protocols to prevent unauthorized access to network infrastructure. This includes securing network switches and other critical hardware components.
2. Advanced Forensic Techniques: Traditional forensic tools may be insufficient against sophisticated anti-forensic methods. Financial institutions should adopt advanced forensic techniques, including memory forensics and continuous network monitoring, to detect and respond to such threats effectively.
3. Regular Security Audits: Conducting regular security audits can help identify and mitigate vulnerabilities within the network infrastructure. This proactive approach can prevent potential breaches and ensure compliance with security standards.
4. Employee Training: Educating employees about the latest cyber threats and attack vectors can enhance the overall security posture of the organization. Awareness programs can help staff recognize and report suspicious activities promptly.
By implementing these measures, financial institutions can better protect their networks from sophisticated cyberattacks that combine physical access with advanced anti-forensic techniques.
