In search of riches, hackers plant 4G-enabled Raspberry Pi in bank network

In a startling revelation, cybersecurity experts have uncovered a sophisticated hacking operation where cybercriminals infiltrated a bank's network using a Raspberry Pi equipped with a 4G modem. This method, described as unprecedented, enabled the attackers to circumvent traditional perimeter defenses completely. The security firm Group-IB reported on Wednesday that the hackers not only executed a physical intrusion but also employed advanced remote access malware, utilizing a unique technique known as aLinux bind mount. This IT administration method had never before been observed in the arsenal of threat actors, allowing the malware to function in a stealthy manner akin to a rootkit, evading detection by the operating system it operated on. The Raspberry Pi was strategically linked to the same network switch as the bank’s ATM system, effectively placing it within the bank's internal network. The hackers aimed to compromise the ATM switching server, gaining control over the bank's hardware security module—a tamper-resistant device essential for safeguarding sensitive information like credentials and encryption keys. Known within the cybersecurity realm as UNC2891, this financially motivated group has been active since at least 2017, specifically targeting banking infrastructures. Their expertise in deploying custom malware across various systems, including Linux, Unix, and Oracle Solaris, has earned them notoriety. In 2022, Google’s Mandiant division identified that UNC2891 had been lurking undetected within a targeted network for years. During this time, they discovered CakeTap, a custom rootkit designed for Solaris systems, which manipulated communications in the ATM switching network to facilitate unauthorized cash withdrawals using counterfeit bank cards. Mandiant also documented additional malware variants named SlapStick and TinyShell. The latest report from Group-IB confirms that UNC2891 continues its operations, continually evolving its strategies to infiltrate bank networks without being detected.