The UNC2891 hacking group, also known as LightBasin, used a 4G-equipped Raspberry Pi hidden in a bank's network to bypass security defenses in a newly discovered attack.
The single-board computer was physically connected to the ATM network switch, creating an invisible channel into the bank's internal network, allowing the attackers to move laterally and deploy backdoors.
According to Group-IB, which discovered the intrusion while investigating suspicious activity on the network, the goal of the attack was to spoof ATM authorization and perform fraudulent withdrawals of cash.
While LightBasin failed at that, the incident is a rare example of an advanced hybrid (physical+remote access) attack that employed several anti-forensics techniques to maintain a high degree of stealthiness.
The particular group is notorious for attacking banking systems, as Mandiant highlighted in a 2022 report presenting the then-new Unix kernel rootkit "Caketap," created for running on Oracle Solaris systems used in the financial sector.
Caketap manipulates Payment Hardware Security Module (HSM) responses, specifically the card verification messages, to authorize fraudulent transactions that the bank's systems would otherwise block.
Active since 2016, LightBasin has also successfully attacked telecommunication systems for years, using the TinyShell open-source backdoor to move traffic between networks and route it through specific mobile stations.
Raspberry $i
In the latest case, LightBasin gained physical access to a bank branch either on their own or by bribing a rogue employee who helped them to install a Raspberry Pi with a 4G modem on the same network switch as the ATM.
The device's outbound internet connectivity capabilities enabled the attackers to maintain persistent remote access to the bank's internal network while bypassing perimeter firewalls.
... continue reading