In a sophisticated cyber-physical attack, the financially motivated threat actor known as UNC2891 has been observed infiltrating Automated Teller Machine (ATM) infrastructures by deploying a 4G-equipped Raspberry Pi device. This method allowed the attackers to gain unauthorized access to bank networks, aiming to execute fraudulent cash withdrawals.
Intrusion Methodology
The attackers physically installed a Raspberry Pi device within the bank’s premises, connecting it directly to the same network switch as the targeted ATM. This strategic placement effectively integrated the device into the bank’s internal network. The Raspberry Pi was equipped with a 4G modem, enabling remote access over mobile data networks. This setup circumvented traditional network defenses, such as perimeter firewalls, by establishing an outbound command-and-control (C2) channel via a Dynamic DNS domain. The TINYSHELL backdoor facilitated continuous external access to the ATM network, allowing the attackers to maintain a persistent presence.
UNC2891’s Background and Tactics
First documented by Mandiant in March 2022, UNC2891 has a history of targeting ATM switching networks to perform unauthorized cash withdrawals using fraudulent cards. Central to their operations is a kernel module rootkit known as CAKETAP. This rootkit is designed to conceal network connections, processes, and files, as well as to intercept and spoof card and PIN verification messages from hardware security modules (HSMs), thereby facilitating financial fraud.
The group’s tactics exhibit overlaps with another threat actor, UNC1945 (also known as LightBasin), previously identified for compromising managed service providers and targeting entities within the financial and professional consulting sectors. Both groups demonstrate extensive knowledge of Linux and Unix-based systems, employing sophisticated techniques to evade detection and maintain access.
Advanced Evasion Techniques
During the attack, UNC2891 utilized advanced evasion techniques to maintain their foothold within the bank’s network. Analysis by cybersecurity firm Group-IB revealed the presence of backdoors named “lightdm” on the victim’s network monitoring server. These backdoors were designed to establish active connections to both the Raspberry Pi device and the internal mail server.
A notable aspect of the attack was the abuse of bind mounts, a feature in Unix-like operating systems. By leveraging bind mounts, the attackers were able to hide the presence of the backdoor from process listings, effectively evading detection by standard security tools. This technique underscores the attackers’ deep understanding of system internals and their ability to manipulate them to their advantage.
Objective and Disruption
The ultimate goal of the intrusion was to deploy the CAKETAP rootkit on the ATM switching server, thereby enabling fraudulent ATM cash withdrawals. However, the campaign was disrupted before the attackers could inflict significant damage. Even after the discovery and removal of the Raspberry Pi device, the attackers maintained internal access through a backdoor on the mail server, utilizing a Dynamic DNS domain for command-and-control operations.
Implications and Recommendations
This incident highlights the evolving tactics of cybercriminals who combine physical access with advanced digital techniques to compromise financial institutions. The use of off-the-shelf hardware like Raspberry Pi devices, equipped with mobile connectivity, presents a significant challenge to traditional security measures.
Financial institutions are advised to enhance their physical security protocols to prevent unauthorized access to critical network components. Regular network audits and monitoring for unusual devices or connections can aid in early detection of such intrusions. Additionally, implementing robust endpoint detection and response (EDR) solutions can help identify and mitigate the deployment of rootkits and other malicious software within the network.
The collaboration between physical and cybersecurity teams is essential to address the multifaceted nature of such threats. By adopting a comprehensive security strategy that encompasses both physical and digital domains, financial institutions can better protect themselves against sophisticated threat actors like UNC2891.
