Ethical Hacking News
In a shocking revelation, researchers have uncovered how hackers used a 4G-enabled Raspberry Pi to compromise an ATM network. The audacious plan employed novel techniques such as Linux bind mount and process masquerading to disguise malware, making it challenging for forensic analysts to detect. This latest attempt by the financially motivated threat group UNC2891 highlights the ever-evolving nature of cyber threats and underscores the importance of staying vigilant in protecting sensitive financial information.
Researchers uncovered a new attack method by UNC2891 using custom-built malware called CakeTap to manipulate ATM networks. Hackers employed Linux bind mount and process masquerading techniques to disguise their malware, making it difficult for forensic analysts to detect. The attackers compromised the bank's mail server and used a network monitoring server as an intermediary to establish communication with the infected ATM switching network. Physical access to install a Raspberry Pi device allowed hackers to bypass perimeter defenses entirely. The malware masqueraded as legitimate processes, including an open-source display manager called LightDM, making it harder to detect.
The world of cybersecurity has witnessed numerous attacks over the years, with hackers continually adapting and evolving their tactics. In recent times, researchers have been keeping a close eye on the nefarious activities of the financially motivated threat group known as UNC2891, which has been wreaking havoc across various financial institutions worldwide. Their latest attempt to siphon money from an ATM network using a 4G-enabled Raspberry Pi has raised several eyebrows in the cybersecurity community.
Group-IB, a renowned security firm, recently uncovered the details of this audacious plan. According to their findings, hackers used a custom-built malware called CakeTap to manipulate messages passing through an infected ATM switching network. The primary goal was to facilitate unauthorized cash withdrawals using fraudulent bank cards. Furthermore, researchers discovered that UNC2891 had employed a novel technique known as Linux bind mount to disguise its malware, making it difficult for forensic analysts to detect.
To accomplish this, hackers compromised the mail server of the targeted financial institution and used the network monitoring server as an intermediary between the Raspberry Pi and the mail server. This setup allowed them to establish communication with the infected ATM switching network, which was directly connected to the Raspberry Pi via a 4G modem. The attackers took advantage of the bank's internal network infrastructure, which placed the Raspberry Pi inside the bank's internal network.
One of the most striking features of this attack is the use of physical access to install a Raspberry Pi device. This allowed the hackers to bypass perimeter defenses entirely. Additionally, researchers found that the malware had been designed to masquerade as legitimate processes, including an open-source display manager called LightDM. This was achieved by executing the malware with command-line arguments resembling those used by legitimate parameters, thereby making it harder for forensic analysts to detect.
To further complicate matters, Group-IB discovered that hackers had used another Linux technique known as process masquerading to disguise their malware. The backdoors were actively establishing connections to both the Raspberry Pi and the internal Mail Server. This revelation highlights the sophisticated tactics employed by UNC2891 in an attempt to evade detection.
In a surprising twist, researchers were unable to identify the endpoints associated with the beacons sent from the monitoring server using forensic tools. However, they did manage to capture system memory as the beacons were sent and discovered that one of the processes was lightdm, which is a legitimate display manager commonly found on Linux systems. The researchers concluded that this backdoor was deliberately obfuscated by the threat actor through process masquerading.
Group-IB added the technique used in this attack to the MITRE ATT&CK framework as “T1564.013 – Hide Artifacts: Bind Mounts.” They also did not disclose where the compromised switching equipment was located or how attackers managed to plant the Raspberry Pi, citing that information as too sensitive for public release.
The attack was detected and shut down before UNC2891 could achieve its final goal of infecting the ATM switching network with CakeTap. Despite this setback, researchers are aware that UNC2891 remains active and continues to develop novel methods to breach financial institutions without being detected.
In light of these findings, it is essential for financial institutions to remain vigilant and continually update their security protocols to counter the evolving threats posed by sophisticated hackers like UNC2891.
Related Information:
https://www.ethicalhackingnews.com/articles/A-Novel-Approach-to-Bank-Heists-How-Hackers-Exploited-a-4G-Enabled-Raspberry-Pi-to-Compromise-ATM-Networks-ehn.shtml
https://arstechnica.com/security/2025/07/in-search-of-riches-hackers-plant-4g-enabled-raspberry-pi-in-bank-network/
Published: Wed Jul 30 18:52:27 2025 by llama3.2 3B Q4_K_M