TZUTC: -0500   
   MSGID: 1332.consprcy@1:2320/105 2cfc96d2   
   PID: Synchronet 3.21a-Linux master/123f2d28a Jul 12 2025 GCC 12.2.0   
   TID: SBBSecho 3.28-Linux master/123f2d28a Jul 12 2025 GCC 12.2.0   
   BBSID: CAPCITY2   
   CHRS: ASCII 1   
   FORMAT: flowed   
   Talk about an unexpected charge - criminals deploy Raspberry Pi with 4G modem   
   in an attempt to hack ATMs   
      
   Date:   
   Sat, 09 Aug 2025 11:28:00 +0000   
      
   Description:   
   Hackers exploited physical access to install a 4G Raspberry Pi, masking   
   malware and targeting ATM systems.   
      
   FULL STORY   
      
   A criminal group recently attempted an unusual, and sophisticated intrusion,   
   into a banks ATM infrastructure by deploying a 4G-enabled Raspberry Pi .    
      
   A report from Group-IB revealed the device was covertly installed on a    
   network switch used by the ATM system, placing it inside the internal banking   
   environment.    
      
   The group behind the operation, UNC2891, exploited this physical access point   
   to circumvent digital perimeter defenses entirely, illustrating how physical   
   compromise can still outpace software-based protection.   
      
   Exploiting physical access to bypass digital defenses   
      
   The Raspberry Pi served as a covert entry point with remote connectivity   
   capabilities via its 4G modem, which allowed persistent command-and-control   
   access from outside the institutions network, without triggering typical   
   firewall or endpoint protection alerts.    
      
   One of the most unusual elements of this case was the attackers use of   
   physical access to install a Raspberry Pi device, Group-IB Senior Digital   
   Forensics and Incident Response Specialist Nam Le Phuong wrote.    
      
   This device was connected directly to the same network switch as the ATM,   
   effectively placing it inside the banks internal network."    
      
   Using mobile data, the attackers maintained a low-profile presence while   
   deploying custom malware and initiating lateral movements within the banks   
   infrastructure.    
      
   A particular tool, known as TinyShell, was used to control network   
   communications, enabling data to pass invisibly across multiple internal   
   systems.    
      
   Forensics later revealed UNC2891 used a layered approach to obfuscation.    
      
   The malware processes were named lightdm, imitating legitimate Linux system   
   processes.    
      
   These backdoors ran from atypical directories such as /tmp, making them blend   
   in with benign system functions.    
      
   Also, the group used a technique known as Linux bind mounts to hide process   
   metadata from forensic tools, a method not typically seen in active attacks   
   until now.    
      
   This technique has since been cataloged in the MITRE ATT&CK framework due to   
   its potential to elude conventional detection.    
      
   The investigators discovered that the bank's monitoring server was silently   
   communicating with the Raspberry Pi every 600 seconds, network behavior which   
   was subtle and thus didnt immediately stand out as malicious.    
      
   However, deeper memory analysis revealed the deceptive nature of the    
   processes and that these communications extended to an internal mail server   
   with persistent internet access.    
      
   Even after the physical implant was removed, the attackers had maintained   
   access via this secondary vector, showing a calculated strategy to ensure   
   continuity.    
      
   Ultimately, the aim was to compromise the ATM switching server and deploy the   
   custom rootkit CAKETAP, which can manipulate hardware security modules to   
   authorize illegitimate transactions.    
      
   Such a tactic would allow fraudulent cash withdrawals while appearing   
   legitimate to the banks systems.    
      
   Fortunately, the intrusion was halted before this phase could be executed.    
      
   This incident shows the risks associated with the growing convergence of   
   physical access tactics and advanced anti-forensic techniques.    
      
   It also reveals that beyond remote hacking, insider threats or physical   
   tampering can facilitate identity theft and financial fraud.   
      
   ======================================================================   
   Link to news story:   
   https://www.techradar.com/pro/security/talk-about-an-unexpected-charge-crimina   
   ls-deploy-raspberry-pi-with-4g-modem-in-an-attempt-to-hack-atms   
      
   $$   
   --- SBBSecho 3.28-Linux   
    * Origin: capitolcityonline.net * Telnet/SSH:2022/HTTP (1:2320/105)   
   SEEN-BY: 105/81 106/201 128/187 129/14 305 153/7715 154/110 218/700   
   SEEN-BY: 226/30 227/114 229/110 111 206 300 307 317 400 426 428 664   
   SEEN-BY: 229/700 705 266/512 291/111 320/219 322/757 342/200 396/45   
   SEEN-BY: 460/58 712/848 902/26 2320/0 105 304 3634/12 5075/35   
   PATH: 2320/105 229/426