A recent joint investigation revealed that the cyber threat group UNC2891 has compromised ATM networks. They took a 1-4 G-Raspberry Pi-device and employed elaborate countermeasure tactics to prevent detection, allowing illegal out-of-band API withdrawals to go undetected. Mandiant first publicly documented UNC2891 in March 2022. This threat actor exhibits a deep tactical similarity to the other group identified as UNC1945, or LightBasin. This Education-Labor connection is equally worrisome. UNC1945 has a track record of going after managed service providers, in addition to sectors including finance and professional and business consulting.
The second stage of the breach included the installation of backdoors, including one called “lightdm”, on the victim’s internal network monitoring server. Group-IB’s analysis indicates that these backdoors were strategically designed to establish active connections with the Raspberry Pi and the internal mail server, allowing for ongoing access and control.
Technical Maneuvers and Evasion Tactics
UNC2891 showed a high level of experience and knowledge in manipulating Linux/Unix based systems to conceal their efforts. The group smartly used bind mounts to hide their backdoor from process listings. This approach made it almost impossible for conventional security practices to identify their movement.
UNC2891 provisioned an outbound command-and-control (C2) channel in the form of a Dynamic DNS domain via the TINYSHELL backdoor. This method allowed direct external access to the ATM network, constantly opening the ATM underbelly where it circumvented perimeter firewalls and traditional network security measures.
“Using the TINYSHELL backdoor, the attacker established an outbound command-and-control (C2) channel via a Dynamic DNS domain. This setup enabled continuous external access to the ATM network, completely bypassing perimeter firewalls and traditional network defenses.” – [Unnamed Researcher]
The Raspberry Pi, equipped with a 4G modem, allowed the attackers to maintain remote access over mobile data, further complicating detection efforts.
Persistence Despite Detection
Shortly thereafter the Raspberry Pi was found and taken off the victim’s network. Through investigative work, UNC2891 continued access and leveraged backdoors on the mail server. This careful endurance speaks to the remarkable resilience and agility of the group to operate and thrive in denuded territories.
“Even after the Raspberry Pi was discovered and removed, the attacker maintained internal access through a backdoor on the mail server,” – Group-IB
The ability to maintain internal access after detection creates a high level of risk for organizations, underscoring the value of advanced cybersecurity infrastructure.
Implications for Financial Institutions
Furthermore, the impact of this breach cannot be overstated. As the latest target, it’s dire for financial institutions. UNC2891 is previously attributed to attacks against ATM switching networks. This loophole allows ATM users to attack multiple banks by making unauthorized cash withdraws with counterfeit cards. Luckily, security operations thwarted their campaign before it could do serious harm.
As the complexity of cyber threats continues to increase, organizations need to be on constant alert and proactive about strengthening their defenses against extremely advanced threats.