Recently, Group-IB disclosed a bank network attack incident: the notorious hacker group UNC2891 (also known as LightBasin) attempted to bypass multiple security defenses to carry out ATM fraud by implanting a Raspberry Pi microcomputer equipped with a 4G module within the bank. Their plan ultimately failed when it was exposed. This “hybrid attack,” which combines physical intrusion with remote control, reveals the complex risks hidden within the cybersecurity systems of financial institutions.
According to investigations, the hacker group physically connected the Raspberry Pi, equipped with a 4G modem, to the ATM network switch by infiltrating the bank or bribing internal employees. This single-board computer, about the size of a palm, can establish a covert channel using an independent 4G signal, allowing attackers to bypass the bank’s perimeter firewall while continuously gaining remote access to the internal network.
Security researchers found that this Raspberry Pi was implanted with an open-source backdoor program called TinyShell, which established communication with an external control server via the mobile data network. Using this “foothold,” the hackers were able to move laterally within the bank’s internal network: first infiltrating a network monitoring server with extensive data center connection permissions, and then further compromising an email server with direct internet access. This “jumping-off point” penetration strategy allowed them to maintain persistent control through the email server even after the Raspberry Pi was discovered and removed.
To cover their tracks, the hacker team employed multiple counter-detection techniques. They named the malicious process “lightdm,” disguising it as a common display manager program in Linux systems; they also mounted alternative file systems like tmpfs and ext4 at the /proc/[pid] path to deliberately hide the metadata of the malicious process, making it difficult for conventional forensic tools to trace. Network traffic monitoring showed that the bank’s internal network monitoring server sent heartbeat signals to the Raspberry Pi’s port 929 every 600 seconds, confirming that the device played a core relay role.
Currently, Group-IB has assisted the involved bank in eliminating all undiscovered backdoor programs and repairing the physical security vulnerabilities.
Information and images fromsource:bleepingcomputer
Reprint mustindicate the source and link to this article
﹀﹀﹀

Share

Like

View

Click to read the original text for more