Group-IB reported that the hacker group UNC2891 (also known as LightBasin) used a Raspberry Pi with 4G support to infiltrate a bank’s network and bypass its security systems. The single-board computer was connected to the same network switch as the ATM, creating a channel into the bank’s internal network. This allowed the attackers to perform lateral movement and install backdoors.
According to researchers who discovered the compromise while investigating suspicious activity within the bank’s network, the aim of this attack was to spoof ATM authorization and carry out cash withdrawal operations.
Although the LightBasin attack was unsuccessful, researchers note that the incident is a rare example of an advanced hybrid attack (combining physical and remote access), which also utilized multiple anti-forensic methods.
The LightBasin group, active since 2016, is not new to attacking banking systems. For instance, back in 2022, experts from Mandiant reported on a then-new Unix rootkit named Caketap, designed to operate on Oracle Solaris systems used in the financial sector.
Researchers concluded that the ultimate goal of Caketap was to intercept card verification data and PIN codes from compromised ATM servers and subsequently use this information for unauthorized transactions.
The messages intercepted by Caketap were intended for the Payment Hardware Security Module (HSM), a secure hardware device used in the banking sector for the generation, management, and validation of cryptographic keys for PIN codes, magnetic stripes, and EMV chips.
In an attack discovered by Group-IB, members of LightBasin gained physical access to a branch of an unnamed bank, either on their own or by bribing an employee, who assisted the hackers in placing a Raspberry Pi with a 4G modem on the same network switch as an ATM. This allowed the perpetrators to maintain constant remote access to the bank’s internal network, bypassing firewalls.
The Raspberry Pi had the TinyShell backdoor installed, which the attacker used to create a communication channel with the command server through the mobile network.
In the subsequent stages of the attack, the intruders moved to the Network Monitoring Server, which had extensive capabilities for connecting to the bank’s data center.
From there, the attackers moved to the mail server, which had direct access to the internet, and maintained their presence in the organization’s network even after the Raspberry Pi was discovered and removed.
The backdoors that the attackers used for lateral movement were named lightdm to mimic the legitimate LightDM manager used in Linux systems. Another element that contributed to the high level of stealth was the mounting of alternative file systems (tmpfs and ext4) over the /proc/[pid] paths of the malicious processes. This allowed them to hide associated metadata from forensic tools.
According to researchers, the attackers’ ultimate goal was to deploy the Caketap rootkit, but this plan was thwarted as the attack was detected.
2025.03.16 — Researchers force DeepSeek to write malware
According to Tenable, the AI chatbot DeepSeek R1 from China can be used to write malware (e.g. keyloggers and ransomware). DeepSeek was released in January 2025 and caused a stir…
Full article →
2025.02.23 — New JavaScript obfuscation technique uses invisible Unicode characters
According to Juniper Threat Labs , a new JavaScript obfuscation technique that uses invisible Unicode characters was used in a phishing attack targeting Political Action…
Full article →
2025.04.23 — Improper authentication control vulnerability affects ASUS routers with AiCloud
ASUSTeK Computer Inc. fixed an improper authentication control vulnerability in routers with AiCloud. The bug allows remote attackers to perform unauthorized actions on vulnerable devices. The issue…
Full article →
2025.03.12 — Mass exploitation of PHP-CGI vulnerability in attacks targeting Japanese companies
GreyNoise and Cisco Talos experts warn that hackers are actively exploiting CVE-2024-4577, a critical PHP-CGI vulnerability that was discovered and fixed in early June 2024. CVE-2024-457…
Full article →
2025.02.20 — Newly-discovered vulnerabilities in OpenSSH open the door to MiTM and DoS attacks
OpenSSH fixed two vulnerabilities that could result in MiTM and denial of service (DoS) attacks. Interestingly, one of these bugs appeared in the code more than 10…
Full article →
2025.02.08 — Hackers exploit RCE vulnerability in Microsoft Outlook
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned Federal Civilian Executive Branch (FCEB) Agencies that they have to secure their systems from ongoing…
Full article →
2025.01.27 — YouTube plays hour-long ads to users with ad blockers
Users complain that YouTube plays very long unskippable ads. Sometimes such ads are longer than the video the person is watching. The issue was raised…
Full article →
2025.02.18 — Chrome Enhanced Protection mode is now powered by AI
The Enhanced Protection mode in Google Chrome has been updated. Now it uses AI to protect users from dangerous sites, downloads, and extensions in real time.…
Full article →
2025.02.14 — 12,000 Kerio Control firewalls remain vulnerable to RCE
Security experts report that more than 12,000 GFI Kerio Control firewall instances remain vulnerable to the critical RCE vulnerability CVE-2024-52875, which was fixed…
Full article →
2025.02.06 — Let's Encrypt to stop sending expiration notification emails
The nonprofit organization announced that, starting June 4, 2025, it will stop sending expiration notification emails to subscribers. The primary reason behind this decision…
Full article →