Security experts now recommend implementing several defensive measures: monitoring mount and umount system calls via tools like auditd or eBPF, alerting on unusual /proc/[pid] mounts, blocking executions from temporary directories, securing physical network infrastructure, and incorporating memory analysis in incident response procedures. A financially motivated threat group known as UNC2891 orchestrated a sophisticated attack on banking infrastructure by physically installing a 4G-equipped Raspberry Pi device directly into an ATM network, security researchers from Group-IB revealed this week. Standard forensic triage tools failed to detect these processes because the threat actors used bind mounts to overlay malicious process directories with benign ones, effectively rendering the backdoors invisible to conventional analysis methods. Initial triage failed to reveal the backdoors because they were hidden during system idle states, requiring memory forensics and continuous network monitoring to uncover the malicious activity. “This device was connected directly to the same network switch as the ATM, effectively placing it inside the bank’s internal network,” Group-IB researchers noted in their analysis. The attackers equipped the Raspberry Pi with a 4G modem, enabling remote command-and-control operations through mobile data connections that completely bypassed traditional perimeter firewalls and network defenses. The attackers deployed backdoors masquerading as legitimate system processes named “lightdm,” mimicking the standard LightDM display manager found on Linux systems. Using a custom backdoor called TINYSHELL, the device established outbound communication channels via Dynamic DNS domains, providing continuous external access to the compromised network.
This Cyber News was published on cybersecuritynews.com. Publication date: Thu, 31 Jul 2025 12:05:20 +0000