Cybercrooks Attached Raspberry Pi To Bank Network And Drained Atm Cash

A ring of cybercriminals managed to physically implant a Raspberry Pi on a bank’s network to steal cash from an Indonesian ATM.

Group-IB reported the findings for the first time this week, telling The Register that the attack took place in Q1 2024 and involved the crooks paying “runners” to physically plant the devices on ATMs.

The attack was attributed to what cybersecurity pros refer to as a “threat cluster” tracked as UNC2891, which was first spotted in 2017.

We’re told that participants in UNC2891’s activities are neither native to nor located in Indonesia, and Mandiant previously linked them to UNC1945/LightBasin, which in turn is linked to MustangPanda and RedDelta.

Group-IB said the team successfully withdrew cash from a compromised ATM, and the attack was mitigated a few days after that first withdrawal. The researchers would not say how much money UNC2891 was able to siphon off, however.

The criminals, or the people they paid to carry out the physical attack, connected a Raspberry Pi to a bank’s network switch, the same one hooked up to the ATM that was subsequently raided.

That Raspberry Pi was equipped with a 4G modem, granting attackers remote access to the bank’s internal network.

UNC2891 then deployed a backdoor known as Tinyshell to establish persistent access via a command-and-control channel and a dynamic DNS domain. The method allowed the criminals to bypass traditional network defenses such as perimeter firewalls, Group-IB said.

Tinyshell connected to both the Raspberry Pi and the bank’s mail server. The mail server had direct internet connectivity, which meant that when the Raspberry Pi was disconnected, the attackers still had access to the network.

After the crooks cashed out, the forensic team brought in to handle the situation struggled to locate the issue thanks to UNC2891’s obfuscation techniques.

The backdoor, for example, appeared to be the LightDM display manager often used by Linux systems, demonstrating the group’s skillset, which the researchers said spanned Linux, Unix, and Oracle Solaris environments.

UNC2891 also used Linux bind mounts to hide its backdoor processes, which, at the time, had not been documented in public threat reports, Group-IB said.

The technique is now recognized by MITRE’s ATT&CK framework as T1564.013.

Defenders were able to stop UNC2891 from achieving its ultimate goal, which they believe was to deploy the “Caketap” rootkit to spoof authorization messages that could be used to enable further cash withdrawals.

The researchers noted that the attack serves as a reminder that bad actors using the latest tools and cunning techniques can defeat traditional incident response playbooks, and that memory and network forensics are needed to supplement the usual triage tools. ®

Original Source