Uncovered Secret Access Point in ATM System through Raspberry Pi
In a recent cybersecurity incident, the UNC2891 threat group, known for targeting ATM infrastructure, successfully infiltrated a bank's internal network. The attackers used a Raspberry Pi device equipped with a 4G modem, allowing them remote access over mobile data.
The malware's concealment technique, now recognised in MITRE ATT&CK as T1564.013, relied on abusing Linux bind mounts. This allowed the backdoor to hide from process listings, making it difficult for security measures to detect.
Physical access was also a part of the attackers' strategy. UNC2891 connected a Raspberry Pi device to a network switch shared with an ATM. The device served as a crucial pivot point for lateral movement across the internal environment, with backdoor processes establishing connections to the Raspberry Pi and the bank's internal mail server.
The attackers installed a custom backdoor called TINYSHELL, which provided persistent external access and allowed the device to communicate continuously with command-and-control (C2) infrastructure. TINYSHELL established outbound connections via a dynamic DNS domain, further obscuring the attackers' infrastructure changes and avoiding disruption.
Deeper analysis revealed a stealthy malware component masquerading as a legitimate system process named "lightdm". Two instances of "lightdm" were found running from unusual locations, /tmp/lightdm and /var/snap/.snapd/lightdm. The malware aimed to deploy a rootkit called CAKETAP on the ATM switching server to manipulate hardware security modules and facilitate fraudulent ATM withdrawals.
In response to this incident, Group-IB has recommended several measures to enhance security. These include monitoring mount and unmount syscalls, alerting on /proc/[pid] mounted to tmpfs or external filesystems, blocking or monitoring binaries executed from /tmp or .snapd directories, securing all physical switch ports and ATM-connected infrastructure, and capturing memory images during incident response.
This case demonstrates the evolving tactics of financially motivated attackers, using physical access, obscure Linux features, and memory-resident malware to undermine well-defended systems. It serves as a reminder for organisations to stay vigilant and adapt their security measures to counter emerging threats.
Read also:
- EPA Administrator Zeldin travels to Iowa, reveals fresh EPA DEF guidelines, attends State Fair, commemorates One Big Beautiful Bill
- Musk announces intention to sue Apple for overlooking X and Grok in the top app listings
- Cybertruck's Disappointing Setback, Musk's New Policy, Mega-Pack Triumphs, Model Y's Anticipated Upgrade Prior to Refresh (Week of January 25 for Tesla)
- Innovative Company ILiAD Technologies Introduces ILiAD+: Boosting Direct Lithium Extraction Technology's Efficiency Substantially
