A sophisticated cyberattack has been uncovered involving the use of a Raspberry Pi to infiltrate a bank’s ATM infrastructure, highlighting the evolving nature of financial cyber threats.

Physical Intrusion Enabled Network Access

Cybersecurity researchers have identified a threat actor known as UNC2891, who physically accessed an ATM network and discreetly connected a Raspberry Pi to a network switch shared with an ATM machine. This compact device, equipped with a 4G modem, granted the attackers remote access to the bank’s internal systems by bypassing perimeter firewalls and using mobile data.

Once inside the network, the attackers deployed a lightweight custom backdoor malware known as TINYSHELL, which maintained persistent communication with external command-and-control (C2) servers using dynamic DNS domains.

Malware Disguised as Legitimate System Processes

Further investigation revealed that the malware was cleverly disguised as a legitimate Linux process. Two suspicious instances of the “lightdm” process were discovered running from unusual directories like /tmp/lightdm and /var/snap/.snapd/lightdm. These processes secretly established connections with both the Raspberry Pi device and the bank’s internal mail server.

The attackers used a stealth technique aligned with MITRE ATT&CK’s T1564.013 by leveraging Linux bind mounts to hide the malicious processes from standard forensic tools and system listings.

Objective: ATM Switching Server and HSM Spoofing

UNC2891’s main goal was to compromise the ATM switching server and deploy a rootkit called CAKETAP. This tool was engineered to manipulate hardware security modules (HSMs) and spoof transaction approvals, enabling unauthorized cash withdrawals.

Although the attack was thwarted before full deployment, forensic analysis showed the attackers had established resilient access through both the Raspberry Pi and the mail server, using dynamic DNS to evade detection during infrastructure changes. A compromised network monitoring server was also used for lateral movement within the bank’s data center.

Recommendations for Detection and Prevention

Cybersecurity experts at Group-IB issued the following recommendations for defending against similar attacks:

• Monitor mount/unmount syscalls using tools like auditd or eBPF
• Generate alerts for /proc/[pid] mounted to tmpfs or unknown filesystems
• Block or alert on binaries executing from /tmp or .snapd directories
• Secure physical switch ports connected to critical systems like ATMs
• Perform memory captures in addition to disk images during incident response

This incident serves as a reminder of how physical access, when combined with low-level Linux manipulation and memory-resident malware, can circumvent even mature security infrastructures. Organizations handling financial transactions or managing critical infrastructure should revisit their endpoint security, physical access policies, and incident response protocols in light of this evolving threat landscape.

Source: https://www.infosecurity-magazine.com/news/backdoor-atm-network-raspberry-pi