- 842
- 224
Group-IB reported that the hacker group UNC2891 (aka LightBasin) used a Raspberry Pi with 4G support to penetrate the bank's network and bypass security systems. The single-board computer was connected to the same network switch as the ATM, and this created a channel into the bank's internal network, allowing the attackers to move laterally and install backdoors.
According to the researchers, who discovered the compromise while investigating suspicious activity on the bank's network, the goal of this attack was to spoof ATM authorization and perform cash withdrawal operations.
Although the LightBasin attack failed, the researchers note that the incident is a rare example of an advanced hybrid attack (combining physical and remote access), which also used several anti-forensics methods at once.
The LightBasin group, active since 2016, is not the first to attack banking systems. For example, back in 2022, experts at Mandiant reported on a then-new Unix rootkit called Caketap, designed to run on Oracle Solaris systems used in the financial sector.
At the time, researchers concluded that Caketap’s ultimate goal was to intercept bank card and PIN verification data from hacked ATM servers and then use this information for unauthorized transactions.
The messages intercepted by Caketap were destined for the Payment Hardware Security Module (HSM), a tamper-resistant hardware device used in the banking industry to create, manage, and validate cryptographic keys for PINs, magnetic stripes, and EMV chips.
In the attack discovered by Group-IB, LightBasin participants gained physical access to an unnamed bank branch either on their own or by bribing an employee, who helped the hackers place a Raspberry Pi with a 4G modem on the same network switch as the ATM. This allowed the attackers to maintain constant remote access to the bank's internal network, bypassing firewalls.
The TinyShell backdoor was installed on the Raspberry Pi, which the attacker used to create a communication channel with the control server via a mobile network.
In subsequent stages of the attack, the attackers moved to the Network Monitoring Server, which had ample opportunities to connect to the bank's data center.
From there, the attackers moved to the mail server, which had direct access to the Internet, and maintained a presence on the organization's network even after the Raspberry Pi was discovered and removed.
The backdoors that the attackers used for lateral movement were called lightdm to mimic the legitimate LightDM manager used in Linux systems. Another element that contributed to the high degree of stealth was the mounting of alternative file systems (tmpfs and ext4) over the /proc/[pid] paths of malicious processes. This allowed them to hide the associated metadata from forensic tools.
According to the researchers, the attackers' ultimate goal was to deploy the Caketap rootkit, but this plan was thwarted as the attack was detected.
According to the researchers, who discovered the compromise while investigating suspicious activity on the bank's network, the goal of this attack was to spoof ATM authorization and perform cash withdrawal operations.
Although the LightBasin attack failed, the researchers note that the incident is a rare example of an advanced hybrid attack (combining physical and remote access), which also used several anti-forensics methods at once.
The LightBasin group, active since 2016, is not the first to attack banking systems. For example, back in 2022, experts at Mandiant reported on a then-new Unix rootkit called Caketap, designed to run on Oracle Solaris systems used in the financial sector.
At the time, researchers concluded that Caketap’s ultimate goal was to intercept bank card and PIN verification data from hacked ATM servers and then use this information for unauthorized transactions.
The messages intercepted by Caketap were destined for the Payment Hardware Security Module (HSM), a tamper-resistant hardware device used in the banking industry to create, manage, and validate cryptographic keys for PINs, magnetic stripes, and EMV chips.
In the attack discovered by Group-IB, LightBasin participants gained physical access to an unnamed bank branch either on their own or by bribing an employee, who helped the hackers place a Raspberry Pi with a 4G modem on the same network switch as the ATM. This allowed the attackers to maintain constant remote access to the bank's internal network, bypassing firewalls.
The TinyShell backdoor was installed on the Raspberry Pi, which the attacker used to create a communication channel with the control server via a mobile network.
In subsequent stages of the attack, the attackers moved to the Network Monitoring Server, which had ample opportunities to connect to the bank's data center.
From there, the attackers moved to the mail server, which had direct access to the Internet, and maintained a presence on the organization's network even after the Raspberry Pi was discovered and removed.
The backdoors that the attackers used for lateral movement were called lightdm to mimic the legitimate LightDM manager used in Linux systems. Another element that contributed to the high degree of stealth was the mounting of alternative file systems (tmpfs and ext4) over the /proc/[pid] paths of malicious processes. This allowed them to hide the associated metadata from forensic tools.
According to the researchers, the attackers' ultimate goal was to deploy the Caketap rootkit, but this plan was thwarted as the attack was detected.