Targeting ATMs: The UNC2891 Threat and Its Tactics
A New Kind of ATM Attack
In the realm of cybersecurity, the group known as UNC2891 has emerged as a formidable threat, particularly within the framework of ATM infrastructure. Utilizing a 4G-equipped Raspberry Pi, these attackers executed a covert operation that highlights the ongoing vulnerability of banking systems to sophisticated cyber assaults.
Physical Access and Initial Setup
A key aspect of this attack was the physical placement of the Raspberry Pi device, which was connected to the same network switch as the ATM. This setup effectively embedded the malicious device into the bank’s network, allowing for deeper penetration. The precise method through which the attackers gained physical access to the ATM network remains unclear, but the implications are serious.
Remote Command and Control
Security analyst Nam Le Phuong detailed that the Raspberry Pi was outfitted with a 4G modem, enabling remote access via mobile data. The attackers utilized the TINYSHELL backdoor to create an outbound command-and-control (C2) channel. This clever usage of a Dynamic DNS domain facilitated ongoing access to the ATM network, effectively circumventing perimeter firewalls and standard security defenses.
Background on UNC2891
First identified by Mandiant in March 2022, UNC2891 is linked to a range of attacks on ATM switching networks. Their sophisticated techniques enable unauthorized cash withdrawals from banks using forged cards. The core of their operations revolves around the CAKETAP rootkit, a malicious kernel module designed to obscure various network activities, including the hiding of network connections, processes, and files. This rootkit can also intercept card and PIN verification messages, facilitating the execution of financial fraud.
Tactical Links to Other Threat Actors
Interestingly, UNC2891 has shown tactical similarities with another hacking group, UNC1945, also known as LightBasin. This group has previously targeted managed service providers and has a history of intrusion within financial and professional consulting sectors. Group-IB’s analysis highlighted a backdoor, named lightdm, installed on the victim’s network monitoring server, which maintained active connections to the Raspberry Pi and the internal mail server.
Evasion Techniques and Red Flags
The attack exemplifies advanced evasion techniques, particularly through the usage of bind mounts to hide the backdoor from process listings. This strategy poses significant challenges for effective detection by cybersecurity measures. The ultimate aim of this infiltration is consistently to deploy the CAKETAP rootkit on ATM switching servers, enabling illegal cash withdrawals.
Disruption of Attack Campaign
Fortunately, the campaign was disrupted before the hackers could inflict serious damage. Group-IB reports that despite the Raspberry Pi being discovered and removed, the attackers retained internal access via a backdoor on the mail server, demonstrating the resilience of their infiltration strategies. The continued use of a Dynamic DNS domain for command-and-control purposes underlines the sophistication of this cyber threat.
The Importance of Vigilance
As cybersecurity threats continue to evolve, the actions of groups like UNC2891 serve as a stark reminder of the vulnerabilities that exist within financial infrastructures. Organizations must prioritize security measures to mitigate risks associated with physical access and to bolster defenses against advanced persistent threats.
