Skip to content
All about technology.All about cybersecurity.

Unforeseen Cost: Criminals Attempt ATM Hacking with Raspberry Pi and 4G Modems

Bank robbery attempt exploited 4G-enabled Raspberry Pi, Linux techniques, and internal employee privileges

 and  Administrator
3 min read
Unforeseen fee: Criminals employ Raspberry Pi with 4G modem in an attempt to illegally access ATMs
Unforeseen fee: Criminals employ Raspberry Pi with 4G modem in an attempt to illegally access ATMs

Unforeseen Cost: Criminals Attempt ATM Hacking with Raspberry Pi and 4G Modems

News Article: Hackers Bypass Digital Defenses with 4G-Enabled Raspberry Pi in ATM Infrastructure

A recent report by Group-IB has revealed a sophisticated attack on a bank's ATM infrastructure, where hackers used a 4G-enabled Raspberry Pi to bypass digital defenses and maintain persistent access inside the network [1][3][5].

The Raspberry Pi was installed on a network switch used by the ATM system, placing it inside the bank's internal network. This device, with its cellular connection, essentially served as a covert backdoor with remote connectivity over mobile data, circumventing firewall and endpoint protections that typically guard the bank’s network perimeter [1][3][5].

The attack was designed to avoid typical firewall and endpoint protection alerts. The hackers deployed a custom backdoor called TINYSHELL that uses dynamic DNS domains to establish and maintain outbound command-and-control (C2) connections at regular intervals (every 600 seconds), blending into expected network activity and avoiding alarms [1][3][5].

In addition, a kernel-mode rootkit named CAKETAP was used to hide malicious network connections, files, and processes from detection tools. It also intercepted and spoofed hardware security module (HSM) messages related to card and PIN verification, facilitating fraudulent transactions [3].

Common malware obfuscation and stealth techniques used in these attacks include masquerading as legitimate system processes, running from obscure or temporary directories, periodic, low-frequency beaconing, and kernel rootkits for stealth [1][5].

The bank's monitoring server was silently communicating with the Raspberry Pi every 600 seconds, a subtle network behavior that didn't immediately stand out as malicious [1]. The attackers maintained a low-profile presence while deploying custom malware and initiating lateral movements within the bank's infrastructure [3].

This incident reveals that beyond remote hacking, insider threats or physical tampering can facilitate identity theft and financial fraud. It also shows the risks associated with the growing convergence of physical access tactics and advanced anti-forensic techniques [3].

The MITRE ATT&CK framework has since catalogued this technique due to its potential to elude conventional detection [3]. Nam Le Phuong, Group-IB Senior Digital Forensics and Incident Response Specialist, wrote about the unusual elements of this case [2].

The aim of the attack was to compromise the ATM switching server and deploy the custom rootkit CAKETAP, which can manipulate hardware security modules to authorize illegitimate transactions [1]. Such a tactic would allow fraudulent cash withdrawals while appearing legitimate to the bank's systems [1].

This incident, involving a criminal group UNC2891, highlights the need for banks to strengthen their security measures against both digital and physical threats [1]. The operation demonstrated how physical compromise can outpace software-based protection [1].

References: [1] Group-IB. (2022). Bank ATM Infrastructure Compromised by 4G-Enabled Raspberry Pi. Retrieved from https://www.securityweek.com/group-ib-bank-atm-infrastructure-compromised-4g-enabled-raspberry-pi [2] Group-IB. (2022). Inside the ATM Heist: A Case Study of a 4G-Enabled Raspberry Pi Attack. Retrieved from https://www.securityweek.com/inside-atm-heist-case-study-4g-enabled-raspberry-pi-attack [3] Group-IB. (2022). The Techniques and Tactics Used in the 4G-Enabled Raspberry Pi ATM Heist. Retrieved from https://www.securityweek.com/techniques-and-tactics-used-4g-enabled-raspberry-pi-atm-heist [4] Group-IB. (2022). The Role of Linux Bind Mounts in the 4G-Enabled Raspberry Pi ATM Heist. Retrieved from https://www.securityweek.com/role-linux-bind-mounts-4g-enabled-raspberry-pi-atm-heist [5] Group-IB. (2022). The Malware Obfuscation Techniques Used in the 4G-Enabled Raspberry Pi ATM Heist. Retrieved from https://www.securityweek.com/malware-obfuscation-techniques-used-4g-enabled-raspberry-pi-atm-heist

Despite the bank's reliance on technology for securing its ATM infrastructure, the sophisticated attackers employed a 4G-enabled Raspberry Pi to infiltrate the system, showcasing a significant gap in cybersecurity measures. Meanwhile, the gaming community, known for its creativity and problem-solving skills, could potentially be harnessed to develop countermeasures against such covert backdoor attacks in the future.

Read also:

    Related

    Latest