Carder.life

Carder.life (http://txgate.io:443/index.php)
-   Carding News (http://txgate.io:443/forumdisplay.php?f=38)
-   -   Hackers plant 4G Raspberry Pi on bank network in failed ATM heist (http://txgate.io:443/showthread.php?t=51302152)

Artifact 07-30-2025 06:19 PM
<div id="post_message_806271">

The UNC2891 hacking group, also known as LightBasin, used a 4G-equipped Raspberry Pi hidden in a bank's network to bypass security defenses in a newly discovered attack.<br/>
<br/>
The single-board computer was physically connected to the ATM network switch, creating an invisible channel into the bank's internal network, allowing the attackers to move laterally and deploy backdoors.<br/>
<br/>
According to <a href="https://www.group-ib.com/blog/unc2891-bank-heist/" target="_blank">Group-IB</a>, which discovered the intrusion while investigating suspicious activity on the network, the goal of the attack was to spoof ATM authorization and perform fraudulent withdrawals of cash.<br/>
<br/>
While LightBasin failed at that, the incident is a rare example of an advanced hybrid (physical+remote access) attack that employed several anti-forensics techniques to maintain a high degree of stealthiness.<br/>
<br/>
The particular group is notorious for attacking banking systems, as Mandiant highlighted in a 2022 report presenting the then-new <a href="https://www.bleepingcomputer.com/news/security/new-unix-rootkit-used-to-steal-atm-banking-data/" target="_blank">Unix kernel rootkit "Caketap,"</a> created for running on Oracle Solaris systems used in the financial sector.<br/>
<br/>
Caketap manipulates Payment Hardware Security Module (HSM) responses, specifically the card verification messages, to authorize fraudulent transactions that the bank's systems would otherwise block.<br/>
<br/>
Active since 2016, LightBasin has also successfully <a href="https://www.bleepingcomputer.com/news/security/lightbasin-hacking-group-breaches-13-global-telecoms-in-two-years/" target="_blank">attacked telecommunication systems</a> for years, using the TinyShell open-source backdoor to move traffic between networks and route it through specific mobile stations.<br/>
<br/>
<b><font size="4"><font color="White">Raspberry $i</font></font></b><br/>
<br/>
In the latest case, LightBasin gained physical access to a bank branch either on their own or by bribing a rogue employee who helped them to install a Raspberry Pi with a 4G modem on the same network switch as the ATM.<br/>
<br/>
The device's outbound internet connectivity capabilities enabled the attackers to maintain persistent remote access to the bank's internal network while bypassing perimeter firewalls.<br/>
<br/>
The Raspberry Pi hosted the TinyShell backdoor which the attacker leveraged for establishing an outbound command-and-control (C2) channel via mobile data.<br/>
<br/>
In the subsequent phases of the attack, the threat actors moved laterally to the Network Monitoring Server, which had extensive connectivity to the bank's data center.<br/>
<br/>
<img alt="" border="0" class="bbCodeImage" src="https://www.bleepstatic.com/images/news/u/1220909/2025/July/attack(1).jpg"/><br/>
<div style="margin:20px; margin-top:5px; ">
<!-- <div class="smallfont" style="margin-bottom:2px">Quote:</div> -->
<table border="0" cellpadding="6" cellspacing="0" width="100%">
<tr>
<td class="alt2" style="background: rgb(37, 37, 37) none repeat scroll 0% 0%; border: 1px solid rgb(0, 0, 0); border-radius: 5px; font-size: 11px; text-shadow: none;">

Overview of the LightBasin attack. Source: Group-IB

</td>
</tr>
</table>
</div>From there, the attacker also pivoted to the Mail Server, which had direct internet access, and enabled persistence even when the Raspberry Pi was discovered and removed.<br/>
<br/>
The backdoors used in lateral movement were named as 'lightdm' to mimic the legitimate LightDM display manager found on Linux systems, hence appearing inoccuous.<br/>
<br/>
Another element that contributed to the attack's high degree of stealth was LightBasin mounting alternative filesystems like tmpfs and ext4 over the '/proc/[pid]' paths of the malicious processes, essentially obscuring the related metadata from forensics tools.<br/>
<br/>
Based on Group-IB's investigation, the Network Monitoring Server inside the bank network was found beaconing every 600 seconds to the Raspberry Pi on port 929, indicating that the device served as a pivot host.<br/>
<br/>
The researchers say the attackers' ultimate goal was to deploy the Caketap rootkit, but that plan was foiled before it could materialize.<br/>
<br/>
<a href="https://www.bleepingcomputer.com/news/security/hackers-plant-4g-raspberry-pi-on-bank-network-in-failed-atm-heist" target="_blank">@ BleepingComputer </a>
</div>


All times are GMT. The time now is 07:46 AM.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2025, vBulletin Solutions, Inc.