Redazione RHC : 31 July 2025 14:56
It has been reported by Group-IB that a Raspberry Pi with 4G support was exploited by the hacker group UNC2891, also known as LightBasin, in order to overcome security measures and access the bank’s network. By connecting to the same network switch as the ATM, the single-board computercreated a breach in the bank’s internal network, allowing attackers to operate laterally and install backdoors.
Researchers, who discovered the breach while examining suspicious transactions on the bank’s computer system, determined that the attack was aimed at altering the authorization of ATMs and carrying out cash withdrawals.
Although the LightBasin attack failed, researchers emphasize that the incident is a rare example of an advanced hybrid attack (combining physical and remote access) that also used multiple anti-forensic methods. The LightBasin group, active since 2016, is not the first to attack banking systems. For example, back in 2022, Mandiant experts reported the then-new Caketap Unix rootkit, created to run on Oracle Solaris systems used in the financial sector.
The researchers therefore concluded that Caketap’s ultimate goal was to intercept credit card verification data and PINs from hacked ATM servers and then use that information to make unauthorized transactions. The messages intercepted by Caketap were intended for a Payment Hardware Security Module (HSM), a tamper-resistant hardware device used in the banking industry to create, manage, and validate cryptographic keys for PINs, magnetic strips, and EMV chips.
In the attack discovered by Group-IB, LightBasin participants gained physical access to an unnamed bank branch, either independently or by bribing an employee, who helped the hackers install a Raspberry Pi with a 4G modem on the same network switch as the ATM. This allowed the attackers to maintain constant remote access to the bank’s internal network, bypassing firewalls.
The Raspberry Pi had a TinyShell backdoor installed, which the attacker used to create a communication channel with the command and control server via a mobile network. In the later stages of the attack, the attackers moved to the Network Monitoring Server, which had extensive access to the bank’s data center.
From there, the attackers moved to a mail server with direct Internet access, which remained present on the organization’s network even after the Raspberry Pi was discovered and removed. The LightDM backdoors used by the attackers mimicked legitimate logins on Linux systems. Another factor that contributed to the high degree of stealth was the mounting of alternative file systems (tmpfs and ext4) on the /proc/[pid] paths of the malicious processes. This allowed forensic tools to hide associated metadata.
According to researchers, the attackers’ ultimate goal was to distribute the Caketap rootkit, but the plan was foiled when the attack was discovered.
Redazione