Full Report
The UNC2891 hacking group, also known as LightBasin, used a 4G-equipped Raspberry Pi hidden in a bank's network to bypass security defenses in a newly discovered attack. [...]
Analysis Summary
# Incident Report: Failed ATM Heist via Physical Network Insertion
## Executive Summary
A sophisticated cyber-physical attack targeted a bank where threat actors physically introduced a 4G-enabled Raspberry Pi device onto the internal network. This device was used to establish an external C2 channel via mobile data, allowing lateral movement to critical internal servers, including the Network Monitoring Server and an internet-facing Mail Server, with the ultimate goal of deploying a rootkit for an ATM heist, which was ultimately foiled.
## Incident Details
- Discovery Date: Not explicitly stated, but implied shortly after the Raspberry Pi was planted and subsequent investigation (Group-IB investigation).
- Incident Date: Not explicitly stated.
- Affected Organization: Bank (unspecified).
- Sector: Financial Services (Banking).
- Geography: Not disclosed.
## Timeline of Events
### Initial Access
- Date/Time: Prior to discovery.
- Vector: Physical Insertion (4G Raspberry Pi device).
- Details: An attacker physically planted a Raspberry Pi device onto the bank's network, bypassing perimeter firewalls to establish an external C2 channel using its integrated 4G connectivity. The device hosted the TinyShell backdoor.
### Lateral Movement
- Date/Time: Following initial access.
- Details: Threat actors used the device as a pivot point to move laterally to the **Network Monitoring Server**, which had extensive connectivity within the data center. They further pivoted from the Monitoring Server to the **Mail Server**, which had direct internet access. Lateral movement tools were disguised as the legitimate 'lightdm' display manager.
### Data Exfiltration/Impact
- Data Exfiltration: Not detailed, but the ultimate goal was deployment of the **Caketap rootkit** to facilitate an ATM heist.
- Impact: The plan was foiled before the Caketap rootkit could be deployed, preventing the primary financial impact. The attackers achieved persistence on the Mail Server.
### Detection & Response
- Detection: Detection occurred when the planted Raspberry Pi was discovered, leading to an investigation by Group-IB.
- Response Actions: Implied removal of the Raspberry Pi, analysis of the compromised Network Monitoring Server (observed beaconing to the Pi on port 929 every 600 seconds), and discovery of persistence mechanisms on the Mail Server.
## Attack Methodology
- Initial Access: Physical implant (Raspberry Pi with 4G/mobile data connection).
- Persistence: Established on the Mail Server using backdoors ('lightdm') even after the Raspberry Pi was removed.
- Privilege Escalation: Not explicitly detailed, but implied necessary to pivot to the Monitoring Server and Mail Server.
- Defense Evasion: Highly effective; leveraged standard components (TinyShell backdoor) and obscured forensic artifacts by mounting alternative filesystems like **tmpfs and ext4 over '/proc/[pid]' paths** to hide malicious processes' metadata.
- Credential Access: Not detailed.
- Discovery: Likely performed post-lateral movement prior to Caketap deployment.
- Lateral Movement: Pivoting through highly privileged internal systems (Network Monitoring Server, Mail Server).
- Collection: Not detailed, but required to set stage for Caketap rootkit deployment.
- Exfiltration: Ultimate goal was action against ATMs, not traditional data exfiltration.
- Impact: Failed attempt to deploy Caketap rootkit for ATM fraud.
## Impact Assessment
- Financial: Goal was ATM heist; impact mitigated as the attack was foiled.
- Data Breach: Not the primary focus, but internal network access was achieved.
- Operational: Temporary compromise of Network Monitoring Server and Mail Server due to established persistence.
- Reputational: Not detailed.
## Indicators of Compromise
- Network Indicators (Defanged): Internal beaconing from Network Monitoring Server towards the initial C2 pivot host (Raspberry Pi) on TCP/UDP port 929 every 600 seconds.
- File Indicators: TinyShell backdoor present on the Raspberry Pi; 'lightdm' files used for persistence/backdoors on internal hosts.
- Behavioral Indicators: Obfuscation techniques involving mounting alternative filesystems (tmpfs, ext4) over **/proc/[pid]** paths of malicious processes.
## Response Actions
- Containment: Physical removal of the 4G Raspberry Pi device.
- Eradication: Identification and cleanup of backdoors ('lightdm') and persistence mechanisms on the Network Monitoring Server and Mail Server.
- Recovery: Re-establishment of trust and validation of internal network integrity following host compromise.
## Lessons Learned
- Insider threat or poor physical security allowed for the introduction of a sophisticated, externally connected device onto a secure network segment.
- Attackers utilized advanced stealth techniques (filesystem obstruction) to evade immediate forensic discovery.
- Persistence mechanisms were successfully established on an internet-facing server (Mail Server) separate from the initial entry point.
## Recommendations
- Implement stringent physical access controls, especially for network endpoints and sensitive areas where devices like a Raspberry Pi could be connected.
- Enhance network monitoring to immediately flag connection attempts originating from unknown or unauthorized devices utilizing cellular (4G) interfaces on the internal LAN.
- Review security monitoring configurations to ensure filesystem metadata obfuscation techniques (like mounting over /proc paths) are correlated with other suspicious activity to prevent defense evasion.