Hackers Embedded Raspberry Pi in Banking Network in Attempted Heist

📟 News

Date: 01/08/2025

Group-IB reported that the hacker group UNC2891 (also known as LightBasin) used a Raspberry Pi with 4G support to infiltrate a bank’s network and bypass its security systems. The single-board computer was connected to the same network switch as the ATM, creating a channel into the bank’s internal network. This allowed the attackers to perform lateral movement and install backdoors.

According to researchers who discovered the compromise while investigating suspicious activity within the bank’s network, the aim of this attack was to spoof ATM authorization and carry out cash withdrawal operations.

Although the LightBasin attack was unsuccessful, researchers note that the incident is a rare example of an advanced hybrid attack (combining physical and remote access), which also utilized multiple anti-forensic methods.

The LightBasin group, active since 2016, is not new to attacking banking systems. For instance, back in 2022, experts from Mandiant reported on a then-new Unix rootkit named Caketap, designed to operate on Oracle Solaris systems used in the financial sector.

Researchers concluded that the ultimate goal of Caketap was to intercept card verification data and PIN codes from compromised ATM servers and subsequently use this information for unauthorized transactions.

The messages intercepted by Caketap were intended for the Payment Hardware Security Module (HSM), a secure hardware device used in the banking sector for the generation, management, and validation of cryptographic keys for PIN codes, magnetic stripes, and EMV chips.

In an attack discovered by Group-IB, members of LightBasin gained physical access to a branch of an unnamed bank, either on their own or by bribing an employee, who assisted the hackers in placing a Raspberry Pi with a 4G modem on the same network switch as an ATM. This allowed the perpetrators to maintain constant remote access to the bank’s internal network, bypassing firewalls.

The Raspberry Pi had the TinyShell backdoor installed, which the attacker used to create a communication channel with the command server through the mobile network.

In the subsequent stages of the attack, the intruders moved to the Network Monitoring Server, which had extensive capabilities for connecting to the bank’s data center.

From there, the attackers moved to the mail server, which had direct access to the internet, and maintained their presence in the organization’s network even after the Raspberry Pi was discovered and removed.

The backdoors that the attackers used for lateral movement were named lightdm to mimic the legitimate LightDM manager used in Linux systems. Another element that contributed to the high level of stealth was the mounting of alternative file systems (tmpfs and ext4) over the /proc/[pid] paths of the malicious processes. This allowed them to hide associated metadata from forensic tools.

According to researchers, the attackers’ ultimate goal was to deploy the Caketap rootkit, but this plan was thwarted as the attack was detected.

Related posts:
2025.03.07 — YouTube warns of scam video featuring its CEO

According to YouTube, scammers use an AI-generated video of the company's CEO in phishing attacks to steal user credentials. The scammers attack content creators by sending them…

Full article →
2025.03.26 — Cloudflare to block all unencrypted traffic to its APIs

According to Cloudflare, effective immediately, only secure HTTPS connections to api.cloudflare.com will be accepted; while all HTTP ports are to be closed. The purpose of this decision…

Full article →
2025.02.21 — Microsoft fixes vulnerability in Power Pages exploited by cybercriminals

Microsoft patched a severe privilege escalation vulnerability in Power Pages used by hackers as a 0-day. The vulnerability tracked as CVE-2025-24989 (CVSS score 8.2) pertains…

Full article →
2025.02.25 — More than 100,000 users downloaded SpyLend malware from Google Play Store

According to Cyfirma, a malicious Android app called SpyLend was available on the official Google Play Store for some time and has been downloaded from there…

Full article →
2025.04.22 — Scammers pose as FBI IC3 specialists, offer 'assistance' to fraud victims

According to the FBI, scammers impersonating employees of the FBI Internet Fraud Complaint Center (IC3) contact fraud victims offering them 'assistance' in getting their money…

Full article →
2025.04.01 — Hackers abuse MU plugins to inject malicious payloads to WordPress

According to Sucuri, hackers store malicious code in the MU-plugins (Must-Use Plugins) directory in WordPress and execute it while remaining undetected. The technique was first discovered…

Full article →
2025.03.12 — Mass exploitation of PHP-CGI vulnerability in attacks targeting Japanese companies

GreyNoise and Cisco Talos experts warn that hackers are actively exploiting CVE-2024-4577, a critical PHP-CGI vulnerability that was discovered and fixed in early June 2024. CVE-2024-457…

Full article →
2025.01.22 — Fake Homebrew Infects macOS and Linux Machines with infostealer

Attackers use Google ads to disguise themselves as the Homebrew website and distribute malware targeting Mac and Linux systems and stealing logon credentials, browser data, and cryptocurrency wallets.…

Full article →
2025.03.20 — 8,000 vulnerabilities identified in WordPress ecosystem in 2024

According to Patchstack, world's #1 WordPress vulnerability intelligence provider, 7,966 new vulnerabilities were identified in the WordPress ecosystem in 2024; most of these bugs affected plugins…

Full article →
2025.03.10 — Nearly a million Windows computers impacted by a malvertising campaign

According to Microsoft, nearly 1 million Windows devices fell victim to a sophisticated malvertising campaign in recent months. Cybercriminals were able to steal credentials, cryptocurrency, and sensitive…

Full article →