In a recent cybersecurity incident, the financially motivated threat group UNC2891 executed a sophisticated attack on banking infrastructure by physically installing a 4G-equipped Raspberry Pi device into an ATM network. This method underscores a concerning evolution in cybercriminal tactics, blending physical intrusion with advanced anti-forensics to compromise critical financial systems.
The Attack Methodology
Investigators discovered that the attackers connected the Raspberry Pi directly to the same network switch as the ATM, effectively placing the device within the bank’s internal network perimeter. Equipped with a 4G modem, the device enabled remote command-and-control operations through mobile data connections, bypassing traditional perimeter firewalls and network defenses. The attackers utilized a custom backdoor named TINYSHELL, establishing outbound communication channels via Dynamic DNS domains, thereby maintaining persistent external access to the compromised network.
Advanced Anti-Forensics Techniques
A notable aspect of this attack was the use of a previously undocumented anti-forensics technique involving Linux bind mounts to conceal malicious processes from detection tools. This method has been officially recognized by MITRE and cataloged in the ATT&CK framework as technique T1564.013 (Hide Artifacts: Bind Mounts). The attackers deployed backdoors masquerading as legitimate system processes named “lightdm,” mimicking the standard LightDM display manager found on Linux systems. However, these malicious binaries were located in unusual directories, such as /tmp/lightdm and /var/snap/.snapd/lightdm, with command-line arguments designed to appear legitimate. Standard forensic triage tools failed to detect these processes because the threat actors used bind mounts to overlay malicious process directories with benign ones, effectively rendering the backdoors invisible to conventional analysis methods.
Objective and Implications
The ultimate goal of UNC2891’s campaign was to deploy CAKETAP, a sophisticated rootkit designed to manipulate Hardware Security Module (HSM) responses and facilitate fraudulent ATM cash withdrawals. The malware was engineered to intercept card and PIN verification messages, enabling unauthorized transactions while maintaining the appearance of normal operations. This attack highlights critical gaps in traditional forensic approaches, as initial triage failed to reveal the backdoors hidden during system idle states, necessitating memory forensics and continuous network monitoring to uncover the malicious activity.
Recommendations for Financial Institutions
In light of this incident, security experts recommend implementing several defensive measures:
1. Enhanced Physical Security: Banks should strengthen physical security protocols to prevent unauthorized access to network infrastructure.
2. Advanced Forensic Techniques: Employing memory forensics and continuous network monitoring can help detect sophisticated attacks that evade traditional detection methods.
3. Regular Security Audits: Conducting regular security audits and penetration testing can identify and mitigate vulnerabilities before they can be exploited.
4. Employee Training: Educating employees about potential physical and cyber threats can enhance the overall security posture of the institution.
By adopting these measures, financial institutions can better protect their networks from evolving cyber threats that combine physical and digital attack vectors.
