Group-IB reported that the hacker group UNC2891 (also known as LightBasin) used a Raspberry Pi with 4G support to infiltrate a bank’s network and bypass its security systems. The single-board computer was connected to the same network switch as the ATM, creating a channel into the bank’s internal network. This allowed the attackers to perform lateral movement and install backdoors.
According to researchers who discovered the compromise while investigating suspicious activity within the bank’s network, the aim of this attack was to spoof ATM authorization and carry out cash withdrawal operations.
Although the LightBasin attack was unsuccessful, researchers note that the incident is a rare example of an advanced hybrid attack (combining physical and remote access), which also utilized multiple anti-forensic methods.
The LightBasin group, active since 2016, is not new to attacking banking systems. For instance, back in 2022, experts from Mandiant reported on a then-new Unix rootkit named Caketap, designed to operate on Oracle Solaris systems used in the financial sector.
Researchers concluded that the ultimate goal of Caketap was to intercept card verification data and PIN codes from compromised ATM servers and subsequently use this information for unauthorized transactions.
The messages intercepted by Caketap were intended for the Payment Hardware Security Module (HSM), a secure hardware device used in the banking sector for the generation, management, and validation of cryptographic keys for PIN codes, magnetic stripes, and EMV chips.
In an attack discovered by Group-IB, members of LightBasin gained physical access to a branch of an unnamed bank, either on their own or by bribing an employee, who assisted the hackers in placing a Raspberry Pi with a 4G modem on the same network switch as an ATM. This allowed the perpetrators to maintain constant remote access to the bank’s internal network, bypassing firewalls.
The Raspberry Pi had the TinyShell backdoor installed, which the attacker used to create a communication channel with the command server through the mobile network.
In the subsequent stages of the attack, the intruders moved to the Network Monitoring Server, which had extensive capabilities for connecting to the bank’s data center.
From there, the attackers moved to the mail server, which had direct access to the internet, and maintained their presence in the organization’s network even after the Raspberry Pi was discovered and removed.
The backdoors that the attackers used for lateral movement were named lightdm to mimic the legitimate LightDM manager used in Linux systems. Another element that contributed to the high level of stealth was the mounting of alternative file systems (tmpfs and ext4) over the /proc/[pid] paths of the malicious processes. This allowed them to hide associated metadata from forensic tools.
According to researchers, the attackers’ ultimate goal was to deploy the Caketap rootkit, but this plan was thwarted as the attack was detected.
2025.02.25 — More than 100,000 users downloaded SpyLend malware from Google Play Store
According to Cyfirma, a malicious Android app called SpyLend was available on the official Google Play Store for some time and has been downloaded from there…
Full article →
2025.02.14 — 12,000 Kerio Control firewalls remain vulnerable to RCE
Security experts report that more than 12,000 GFI Kerio Control firewall instances remain vulnerable to the critical RCE vulnerability CVE-2024-52875, which was fixed…
Full article →
2025.04.10 — April updates released by Microsoft cause issues with Windows Hello
Microsoft warns that some Windows users who have installed the April updates might be unable to login to their Windows services using Windows Hello facial recognition…
Full article →
2025.02.05 — Google patches Android zero-day vulnerability exploited by hackers
Google released the February set of patches for Android. In total, they fix 48 bugs, including a kernel zero-day vulnerability actively exploited by hackers. The zero-day's…
Full article →
2025.02.18 — Chrome Enhanced Protection mode is now powered by AI
The Enhanced Protection mode in Google Chrome has been updated. Now it uses AI to protect users from dangerous sites, downloads, and extensions in real time.…
Full article →
2025.03.28 — Zero-day vulnerability in Windows results in NTLM hash leaks
Security experts reported a new zero-day vulnerability in Windows that enables remote attackers to steal NTLM credentials by tricking victims into viewing malicious files in Windows…
Full article →
2025.04.08 — Website of Everest ransomware group hacked and defaced
Last weekend, the darknet website of the Everest ransomware group was hacked and went offline. The attackers replaced its content with a sarcastic message: "Don't do crime…
Full article →
2025.04.04 — Privilege escalation vulnerability in Google Cloud resulting in sensitive data leaks finally patched
Tenable Research revealed details of a recently patched privilege escalation vulnerability in Google Cloud Platform (GCP) Cloud Run enabling an attacker to gain access to container images…
Full article →
2025.03.16 — Researchers force DeepSeek to write malware
According to Tenable, the AI chatbot DeepSeek R1 from China can be used to write malware (e.g. keyloggers and ransomware). DeepSeek was released in January 2025 and caused a stir…
Full article →
2025.04.01 — Hackers abuse MU plugins to inject malicious payloads to WordPress
According to Sucuri, hackers store malicious code in the MU-plugins (Must-Use Plugins) directory in WordPress and execute it while remaining undetected. The technique was first discovered…
Full article →