A sophisticated and stealthy operation by the financially motivated threat group UNC2891 has exposed a critical vulnerability in ATM security, leveraging a physical Raspberry Pi device to breach a bank’s internal network. This highly unconventional cyber-physical attack allowed the group to bypass traditional perimeter defenses, aiming to manipulate Hardware Security Modules (HSMs) and facilitate fraudulent cash withdrawals.
According to reports from cybersecurity firm Group-IB, the attack involved UNC2891 gaining physical access to an ATM and discreetly connecting a 4G-equipped Raspberry Pi to the same network switch used by the machine. This gave the attackers remote access to the bank’s internal network over mobile data, effectively circumventing firewalls.
Once inside, the threat actors deployed a custom backdoor named TINYSHELL, establishing a persistent command-and-control (C2) channel via a dynamic DNS domain. This allowed continuous external access, even after the initial physical implant. Further investigation revealed a highly advanced anti-forensics technique: the attackers masked a stealthy malware component as a legitimate system process, “lightdm,” running from unusual locations. This was achieved by abusing Linux bind mounts, a technique so novel that it has now been added to the MITRE ATT&CK framework (T1564.013). This method effectively hid the backdoor from most standard forensic tools.
UNC2891’s ultimate objective was to compromise the ATM switching server to deploy a rootkit known as CAKETAP. This specialized rootkit is designed to spoof authorization responses from HSMs, the devices responsible for cryptographic operations in ATM transactions, thereby enabling fraudulent withdrawals.
While the attack was disrupted before UNC2891 could fully execute their jackpotting scheme, the incident underscores the evolving tactics of cybercriminals. The group maintained a secondary foothold through a backdoor on the bank’s mail server, demonstrating their determination to retain access.
Security experts are urging financial institutions to enhance physical security measures around ATMs and network infrastructure. The incident highlights the critical need for advanced forensic techniques, including memory imaging and complete network monitoring for unusual beaconing and connection attempts, to detect and mitigate such sophisticated, multi-layered threats. The breach serves as a stark reminder that even seemingly secure systems can be vulnerable when physical access is combined with obscure operating system features and advanced malware.
