In a recent cybersecurity incident, attackers leveraged physical access to install a Raspberry Pi device directly into a bank’s internal network, as reported by Nam Le Phuong, a Senior Digital Forensics and Incident Response Specialist at Group-IB. This device was strategically connected to the same network switch as an ATM, facilitating almost unrestricted access to the bank’s systems. Equipped with a 4G modem, the Raspberry Pi provided remote connectivity, creating a pathway for the attackers to maneuver within the bank’s network.
To bolster their hold, the attackers, identified as UNC2891, targeted a mail server due to its continuous Internet connection. They coordinated communications between the compromised Raspberry Pi and the mail server through the bank’s monitoring server. This monitoring server was a key asset, with access to nearly every server housed within the data center, thus enabling the attackers to maintain their presence undetected.
As investigative efforts commenced, Group-IB researchers spotted irregular activities emanating from the monitoring server, including a beaconing signal every ten minutes and repeated connection attempts to an unidentified device. Analyzing the signals with forensic tools identified the endpoints as the Raspberry Pi and the mail server, yet the tools failed to reveal the specific processes responsible for the unusual beaconing activity.
In a subsequent analysis, researchers managed to capture system memory during the beacon transmissions. This review pinpointed the process as lightdm, associated with a standard open-source display manager. While it initially appeared legitimate, the binary’s installation location raised suspicion. Further scrutiny revealed that the attackers had meticulously camouflaged their backdoor processes, mimicking legitimate system files to evade detection.
Phuong elaborated on these obfuscation tactics, noting that the process disguised itself as “lightdm,” mirroring a widely used display manager in Linux environments. The attackers further enhanced this deception through command-line arguments that resembled those of genuine processes. This intricate disguise aimed to mislead forensic analysts during post-compromise investigations, allowing the backdoors to maintain active connections to both the Raspberry Pi and the mail server.
Group-IB highlighted that the attackers employed Linux bind mounts to conceal their activities, a technique that has now been incorporated into the MITRE ATT&CK framework under T1564.013, which focuses on artifact hiding methods. Despite this sophisticated execution, the attack was detected and neutralized before UNC2891 could finalize their objective of infecting the ATM switching network with their CakeTap backdoor.
This incident serves as a stark reminder of the vulnerabilities that can exist within organizational networks, especially when physical access is compromised. As businesses increasingly rely on interconnected systems, employing robust security measures, monitoring for anomalous activity, and understanding the implications of adversary tactics highlighted in the MITRE ATT&CK framework become essential components of a comprehensive cybersecurity strategy.
