Bank intruders connected a Raspberry Pi device to the bank's network, exploiting it to siphon off cash from ATMs.
In a bold and unprecedented move, a cybercriminal group named UNC2891 executed a physical attack on a bank's ATM in Q1 2024. The attack, which involved the implantation of a Raspberry Pi device onto the bank's internal network, marked a new chapter in the evolving landscape of cybercrime.
The attackers connected the Raspberry Pi to the bank's network switch, gaining covert access to the ATM infrastructure. Once established, they deployed a backdoor known as Tinyshell, which set up persistent command-and-control communication through a dynamic DNS domain. This setup allowed remote attackers to maintain a network presence, even if the Raspberry Pi was disconnected, leveraging the bank’s mail server, which had direct internet access.
To avoid detection, UNC2891 employed advanced obfuscation techniques. The Tinyshell backdoor masqueraded as the LightDM display manager, a common Linux service, and used Linux bind mounts to hide the backdoor processes. This method, previously undocumented publicly and later recognized in MITRE's ATT&CK framework as technique T1564.013, complicates forensic detection and response.
The ultimate goal of UNC2891 appears to have been deploying the "Caketap" rootkit on the ATM switching server to spoof authorization messages and facilitate fraudulent ATM cash withdrawals.
The ongoing effort to simplify the nomenclature used for cybercriminal outfits by the security industry links UNC2891 to UNC1945/LightBasin, which is further linked to MustangPanda and RedDelta. The exact amount of money siphoned off by UNC2891 remains undisclosed.
It's worth noting that UNC2891's multi-layered cyber-physical approach and sophisticated use of Linux-based obfuscation techniques demonstrate a high level of skill across Linux, Unix, and Oracle Solaris environments, making their attacks notably stealthy and challenging to detect with conventional tools.
Furthermore, the attackers were reported to have paid "runners" to physically plant the devices on ATMs, and the attack was first spotted in 2017, making UNC2891 a part of a "threat cluster" that has been active for several years. The attack was eventually attributed to UNC2891, and the team successfully withdrew cash from a compromised ATM.
While the bank was able to mitigate the attack a few days after the first withdrawal, the incident serves as a stark reminder of the evolving nature of cybercrime and the need for continuous vigilance and innovation in cybersecurity measures.
- The sophisticated use of Linux-based obfuscation techniques by UNC2891, such as the Tinyshell backdoor masquerading as the LightDM display manager, highlights the complexity of cybersecurity in the technology-driven banking-and-insurance industry.
- The connection of the Raspberry Pi device to the bank's network switch by UNC2891 enabled them to gain covert access to the ATM infrastructure and deploy a backdoor, ultimately aiming to facilitate fraudulent ATM cash withdrawals through the deployment of the "Caketap" rootkit.
- UNC2891's multi-layered cyber-physical approach, which involves paid "runners" to physically plant devices on ATMs, showcases the need for integrating physical and cybersecurity measures in the cybersecurity industry.
- The evolving tactics used by cybercriminal groups like UNC2891, such as the deployment of Tinyshell and the use of dynamic DNS domains for command-and-control communication, underscore the importance of staying updated on the latest threats within the cybersecurity and AI-driven security industry.
