Particle.news

Download on the App Store

Bank Thwarts ATM Network Breach After 4G-Connected Raspberry Pi Implant

Detection of the intrusion before CAKETAP deployment led to a new MITRE ATT&CK entry for bind-mount hiding.

Image
Image
Image

Overview

  • UNC2891 physically installed a 4G-enabled Raspberry Pi on a bank’s ATM network switch to bypass perimeter firewalls and secure remote access.
  • Attackers deployed the TinyShell backdoor to establish a persistent outbound command-and-control channel via a dynamic DNS domain.
  • Forensic analysts uncovered abuse of Linux bind mounts (MITRE ATT&CK T1564.013) and process masquerading under “lightdm” to conceal malware from system tools.
  • Threat actors pivoted through the bank’s network monitoring server—which beaconed every 600 seconds to the Raspberry Pi—and maintained persistence by compromising the mail server.
  • Group-IB neutralized the operation before the CAKETAP rootkit could be installed, contributed the bind-mount hiding technique to MITRE ATT&CK, and advised banks to strengthen physical security, mount monitoring and memory forensics.