The UNC2891 group, also known as LightBasin, used a covert 4G-enabled Raspberry Pi to access a bank’s internal network and attempt ATM fraud. This attack demonstrates an advanced hybrid physical and remote method with sophisticated anti-forensics techniques. #LightBasin #Caketap
Keypoints
- LightBasin installed a Raspberry Pi with a 4G modem inside a bank’s network switch to gain persistent access.
- The attack aimed to spoof ATM authorization and perform fraudulent cash withdrawals, but failed.
- The group has a history of targeting financial and telecommunication systems with advanced tools like Caketap.
- Backdoors like ‘lightdm’ and techniques such as mounting alternative filesystems helped maintain stealth.
- The attacker’s network pivoting included lateral movement to the bank’s data center and mail server, with communication maintained via a persistent C2 channel.