In search of riches, hackers plant 4G-enabled Raspberry Pi in bank network

Summary

“One of the most unusual elements of this case was the attacker’s use of physical access to install a Raspberry Pi device,” Group-IB Senior Digital Forensics and Incident Response Specialist Nam Le Phuong wrote. “This device was connected directly to the same network switch as the ATM, effectively placing it inside the bank’s internal network. The Raspberry Pi was equipped with a 4G modem, allowing remote access over mobile data.” To maintain persistence, UNC2891 also compromised a mail server because it had constant Internet connectivity. The Raspberry Pi and the mail server backdoor would then communicate by using the bank’s monitoring server as an intermediary. The monitoring server was chosen because it had access to almost every server within the data center. The Network Monitoring Server as an intermediary between the Raspberry Pi and the Mail Server. Credit: Group-IB The Network Monitoring Server as an intermediary between the Raspberry Pi and the Mail Server. Credit: Group-IB As Group-IB was initially investigating the bank’s network, researchers noticed some unusual behaviors on the monitoring server, including an outbound beaconing signal every 10 minutes and repeated connection attempts to an unknown device. The researchers then used a forensic tool to analyze the communications. The tool identified the endpoints as a Raspberry Pi and the mail server but was unable to identify the process names responsible for the beaconing. The forensic triage tool is unable to collect the relevant process name or ID associated with the socket. Credit: Group-IB The forensic triage tool is unable to collect the relevant process name or ID associated with the socket. Credit: Group-IB The researchers then captured the system memory as the beacons were sent. The review identified the process as lightdm, a process associated with an open source LightDM display manager. The process appeared to be legitimate, but the researchers found it suspicious because the LightDM binary wa...