Subj : Talk about an unexpected
To : All
From : Mike Powell
Date : Sat Aug 09 2025 09:30 am
Talk about an unexpected charge - criminals deploy Raspberry Pi with 4G modem
in an attempt to hack ATMs
Date:
Sat, 09 Aug 2025 11:28:00 +0000
Description:
Hackers exploited physical access to install a 4G Raspberry Pi, masking
malware and targeting ATM systems.
FULL STORY
A criminal group recently attempted an unusual, and sophisticated intrusion,
into a banks ATM infrastructure by deploying a 4G-enabled Raspberry Pi .
A report from Group-IB revealed the device was covertly installed on a
network switch used by the ATM system, placing it inside the internal banking
environment.
The group behind the operation, UNC2891, exploited this physical access point
to circumvent digital perimeter defenses entirely, illustrating how physical
compromise can still outpace software-based protection.
Exploiting physical access to bypass digital defenses
The Raspberry Pi served as a covert entry point with remote connectivity
capabilities via its 4G modem, which allowed persistent command-and-control
access from outside the institutions network, without triggering typical
firewall or endpoint protection alerts.
One of the most unusual elements of this case was the attackers use of
physical access to install a Raspberry Pi device, Group-IB Senior Digital
Forensics and Incident Response Specialist Nam Le Phuong wrote.
This device was connected directly to the same network switch as the ATM,
effectively placing it inside the banks internal network."
Using mobile data, the attackers maintained a low-profile presence while
deploying custom malware and initiating lateral movements within the banks
infrastructure.
A particular tool, known as TinyShell, was used to control network
communications, enabling data to pass invisibly across multiple internal
systems.
Forensics later revealed UNC2891 used a layered approach to obfuscation.
The malware processes were named lightdm, imitating legitimate Linux system
processes.
These backdoors ran from atypical directories such as /tmp, making them blend
in with benign system functions.
Also, the group used a technique known as Linux bind mounts to hide process
metadata from forensic tools, a method not typically seen in active attacks
until now.
This technique has since been cataloged in the MITRE ATT&CK framework due to
its potential to elude conventional detection.
The investigators discovered that the bank's monitoring server was silently
communicating with the Raspberry Pi every 600 seconds, network behavior which
was subtle and thus didnt immediately stand out as malicious.
However, deeper memory analysis revealed the deceptive nature of the
processes and that these communications extended to an internal mail server
with persistent internet access.
Even after the physical implant was removed, the attackers had maintained
access via this secondary vector, showing a calculated strategy to ensure
continuity.
Ultimately, the aim was to compromise the ATM switching server and deploy the
custom rootkit CAKETAP, which can manipulate hardware security modules to
authorize illegitimate transactions.
Such a tactic would allow fraudulent cash withdrawals while appearing
legitimate to the banks systems.
Fortunately, the intrusion was halted before this phase could be executed.
This incident shows the risks associated with the growing convergence of
physical access tactics and advanced anti-forensic techniques.
It also reveals that beyond remote hacking, insider threats or physical
tampering can facilitate identity theft and financial fraud.
======================================================================
Link to news story:
https://www.techradar.com/pro/security/talk-about-an-unexpected-charge-crimina
ls-deploy-raspberry-pi-with-4g-modem-in-an-attempt-to-hack-atms
$$
--- SBBSecho 3.28-Linux
* Origin: capitolcityonline.net * Telnet/SSH:2022/HTTP (1:2320/105)
