Cybercrime
,
Finance & Banking
,
Fraud Management & Cybercrime
Runners Hired to Connect Device to Bank’s Network, Facilitating Remote Hacks
Criminals with a proven track record of hacking into banks’ networks have added a new initial access tool to their arsenal: the world’s tiniest hobbyist computer.
See Also: New Attacks. Skyrocketing Costs. The True Cost of a Security Breach.
Cybersecurity firm Group-IB has tied a cybercrime group tracked as UNC2891 to an attempted bank heist in the Asia-Pacific region, in which attackers physically installed a 4G-enabled Raspberry Pi onto a network switch also connected to one of the bank’s ATMs, giving them remote access to the internal IT environment.
“This unprecedented tactic allowed the attackers to bypass perimeter defenses entirely,” says a report from Group-IB. The attackers also used anti-forensics tactics such as abusing Linux bind mounts, which map a file or directory from one file system location to another, similar to Windows shortcuts, “to conceal their activity, enabling stealthy lateral movement and persistent access to critical systems, including ATM switching servers,” it said.
The financially motivated group has been active since at least November 2017, and displays “deep technical expertise” across Linux and Unix-based systems, as well as Oracle Solaris environments, Group-IB said. UNC2891 regularly wielded a variety of custom malware tools, although researchers said its initial access tactics often are unclear.
In this case, the exceptionally stealthy effort, likely a prelude to cash-out attacks designed to let money mules withdraw cash from ATMs without authorization, was spotted and thwarted.
The attack occurred in the first quarter of this year. “We can’t disclose the specific country due to an ongoing investigation, but we can confirm the attackers are not local to the region,” said Nam Le Phuong, the senior digital forensics and incident response specialist at Group-IB who authored the report.
To facilitate the hacking effort, “based on our investigations, UNC2891 paid runners to physically plant the device on the ATM machine,” he told Information Security Media Group. “We were unable to trace the access origin of the 4G modem,” through which attackers had remote access to the bank’s network.
The hardware required to execute such an attack needn’t have been expensive. A Raspberry Pi 4 costs $35 and up, while a modem kit can be had for $140.
Responders found that the criminals infected the bank’s network with the Tinyshell backdoor, giving them an outbound channel, through a dynamic DNS domain, to a command-and-control server. “This setup enabled continuous external access to the ATM network, completely bypassing perimeter firewalls and traditional network defenses.”
The group often attempts to infect a victim’s systems with “a custom variant of the publicly available Tinyshell backdoor” that it has tweaked to provide communication via an encrypted HTTP proxy, and often attempted to hide by renaming it to resemble legitimate Unix or Linux services.
Digital forensic investigators found that attackers hit the bank’s network monitoring server, which connected to nearly every other server in the data center, and were attempting to move laterally to reach the bank’s ATM switching server and deploy a rootkit to manipulate hardware security module responses, enabling them to “spoof authorization messages to facilitate fraudulent ATM cash withdrawals.”
Advanced and Persistent
UNC2891 has a long history of attempting to hack banks’ networks in a variety of ways. Threat intel firm Mandiant in 2022 found the group focusing on Oracle Solaris-based systems with Tinyshell and Slapstick backdoors. Mandiant also found the group appeared to have significant crossover with a cluster of threat activity tracked as UNC1945, first spotted in 2020 and tied to attacks against a zero-day vulnerability in the Oracle Solaris operating system.
Slapstick is researchers’ codename for a Solaris Pluggable Authentication Module backdoor first used by UNC1945 in multiple attacks, since at least late 2018. The backdoor enables attackers “to establish a foothold” on a Solaris server as well as “capture connection details and credentials to facilitate further compromise,” Mandiant said.
In the Raspberry Pi bank attack this year, investigators foiled the group’s efforts before they succeeded in doing the same. Still, ejecting attackers from the bank’s network still proved to be difficult. Even after spotting and removing the Raspberry Pi, the attackers maintained remote access through a backdoor installed on the bank’s mail server, which offered direct internet connectivity.
Using a dynamic DNS domain for the command-and-control server facilitated obfuscation and persistence for attackers, since if the IP address to which the domain resolved got seized, attackers could quickly configure it to a new IP address.
“This multi-pivot access path – combining physical, network and infrastructure control – made containment especially challenging and highlights the sophistication of UNC2891’s operation,” Group-IB said.
UNC2891 is far from the first cybercrime group to use Dynamic DNS. Cyberthreat intelligence firm Silent Push in April reported that the ransomware-wielding collective tracked as Scattered Spider earlier this year began using this tactic via dynamic DNS providers, which allow customers to rent subdomains while obscuring ownership.
