Overview
- UNC2891 operatives physically connected a 4G-enabled Raspberry Pi to the ATM network switch to bypass perimeter firewalls and gain covert access
- Forensic analysts detected periodic 600-second outbound beacons that led to memory analysis exposing the TINYSHELL backdoor concealed under unusual file paths with Linux bind mounts (MITRE ATT&CK T1564.013)
- Attackers moved laterally through the bank’s network monitoring server and a compromised mail server to maintain persistence after the device was discovered
- The operation aimed to install the CAKETAP rootkit on the ATM switching server to spoof HSM authorization responses and enable fraudulent cash withdrawals
- Incident response teams removed the malicious device, disrupted command-and-control infrastructure and are enforcing network and physical-port hardening measures