Ethical Hacking News
Cybercrooks used a Raspberry Pi to steal cash from an Indonesian ATM in a sophisticated attack that highlights the potential risks posed by even small devices. The attackers deployed a backdoor known as Tinyshell, which allowed them to bypass traditional network defenses and withdraw money remotely.
The attackers managed to physically implant a Raspberry Pi on a bank's network switch in Indonesia, attributing it to the "UNC2891" threat cluster.The attackers used undocumented techniques and well-placed insiders to remotely withdraw money from the bank's network.A backdoor known as Tinyshell was deployed, allowing bypassing of traditional network defenses.The Raspberry Pi granted remote access to the bank's internal network via a command-and-control channel and dynamic DNS domain.The attackers' goal was to deploy a "Caketap" rootkit, but were thwarted by defenders.The UNC2891 threat cluster has been linked to other notorious groups, highlighting the importance of staying vigilant in the face of evolving cyber threats.Even small devices like Raspberry Pi can be used as vectors for sophisticated cyberattacks if not properly secured.The use of IoT devices in cyberattacks is increasing, and organizations must develop robust security protocols to address these risks.
In a brazen and sophisticated cyberattack, a group of skilled cybercriminals managed to physically implant a Raspberry Pi on a bank's network switch in Indonesia. The attack, attributed to the "UNC2891" threat cluster, resulted in the theft of cash from an ATM, leaving security experts scrambling to understand the scope and complexity of the operation.
According to Group-IB, the attackers used undocumented techniques and well-placed insiders to remotely withdraw money from the bank's network. The attackers even went so far as to deploy a backdoor known as Tinyshell, which allowed them to bypass traditional network defenses such as perimeter firewalls.
The Raspberry Pi, equipped with a 4G modem, granted the attackers remote access to the bank's internal network. This allowed them to establish persistent access via a command-and-control channel and a dynamic DNS domain. The group also used Linux bind mounts to hide their backdoor processes, a technique that was not previously documented in public threat reports.
The attack served as a reminder that bad actors using the latest tools and cunning techniques can defeat traditional incident response playbooks. Security experts noted that memory and network forensics are needed to supplement the usual triage tools.
The attackers' goal was to deploy the "Caketap" rootkit, which could be used to spoof authorization messages and enable further cash withdrawals. However, the defenders were able to stop UNC2891 from achieving its ultimate goal, mitigating the attack a few days after the first withdrawal.
The UNC2891 threat cluster has been linked to other notorious groups, including UNC1945/LightBasin, MustangPanda, and RedDelta. The group's activities are not native to Indonesia, but rather carried out by participants from outside the country.
This attack highlights the importance of staying vigilant in the face of evolving cyber threats. It also underscores the need for organizations to regularly review and update their security measures to ensure they are equipped to handle the latest attacks.
The use of Raspberry Pi in this attack is particularly noteworthy, as it demonstrates the potential for even small devices to be used as vectors for sophisticated cyberattacks. As such, it serves as a warning to organizations that even seemingly innocuous devices can pose a significant threat if not properly secured.
In recent years, there has been an increasing trend towards the use of IoT devices in cyberattacks. This trend is likely to continue, as more and more devices become connected to the internet. As such, it is essential for organizations to develop robust security protocols that address the potential risks posed by these devices.
The attackers' use of Tinyshell, a backdoor that appeared to be the LightDM display manager often used by Linux systems, demonstrates the group's skillset, which spans multiple environments including Linux, Unix, and Oracle Solaris. This highlights the importance of staying up-to-date with the latest security patches and updates, as well as conducting regular security audits to identify vulnerabilities.
The attack also serves as a reminder that bad actors are always looking for new ways to exploit weaknesses in existing systems. As such, it is essential for organizations to remain proactive in their approach to security, regularly reviewing and updating their measures to ensure they are equipped to handle the latest attacks.
In conclusion, the cyberattack attributed to UNC2891 highlights the importance of staying vigilant in the face of evolving cyber threats. It also underscores the need for organizations to develop robust security protocols that address the potential risks posed by even small devices. As such, it serves as a warning to organizations to remain proactive in their approach to security and to stay up-to-date with the latest security patches and updates.
Related Information:
https://www.ethicalhackingnews.com/articles/Cybercrooks-Cunning-Plan-How-a-Raspberry-Pi-Became-a-Banks-Worst-Nightmare-ehn.shtml
https://go.theregister.com/feed/www.theregister.com/2025/08/01/cybercrooks_bribed_lackeys_in_physical/
Published: Fri Aug 1 05:37:58 2025 by llama3.2 3B Q4_K_M
