Close Menu
Cyberattacks

UNC2891 Hacks ATM Network Using 4G Raspberry Pi and Explores CAKETAP Rootkit

Staff WriterBy No Comments4 Mins Read0 Views

Top Highlights

  1. Covert Attack Method: The cyber threat group UNC2891 used a 4G-equipped Raspberry Pi to infiltrate ATM networks by physically installing the device, allowing access to the bank’s infrastructure.

  2. Backdoor and Remote Access: By utilizing the TINYSHELL backdoor and a Dynamic DNS domain, UNC2891 established persistent remote access to the ATM network, circumventing traditional defenses like firewalls.

  3. Rootkit Deployment: The operation involved deploying a kernel module rootkit called CAKETAP, designed to conceal network activities and facilitate unauthorized ATM cash withdrawals.

  4. Ongoing Threat: Despite the disruption of their attack before significant damage occurred, UNC2891 retained access through other backdoors, maintaining a potential risk for future financial fraud.

What’s the Problem?

On July 31, 2025, cyber security firm Group-IB reported a sophisticated breach involving a financially motivated threat actor known as UNC2891, who targeted Automated Teller Machine (ATM) systems. The attack was executed using a 4G-capable Raspberry Pi, surreptitiously installed by the perpetrators within the bank’s internal network. Although the exact method of gaining physical access remains unclear, the device was ingeniously connected to the same network switch as the ATM, creating a pathway for the attacker to leverage a backdoor, termed TINYSHELL, which facilitated continuous remote access, bypassing traditional firewalls and network defenses. This breach paralleled past activities linked to UNC2891, previously documented in reports by Mandiant and showing connections to other threat groups like UNC1945.

Central to this campaign was a sophisticated kernel module rootkit known as CAKETAP, which obscured the presence of the threat’s mechanisms and enabled the manipulation of card authentication processes. This approach allowed for illicit cash withdrawals from ATMs using counterfeit cards. Even after the rapid investigation led to the removal of the Raspberry Pi device, the attack was notably complicated by pre-existing backdoors on the bank’s mail server, thereby sustaining the threat actor’s internal access. Group-IB emphasized the significance of this attack, particularly in demonstrating the adversary’s advanced knowledge of Linux and Unix systems, and their ability to utilize bind mounts to obscure their operations and evade detection, underscoring a critical vulnerability in the security architecture of financial institutions.

Potential Risks

The emergence of the UNC2891 threat actor underscores profound risks for businesses, users, and organizations that may find themselves ensnared in a similar web of cyber-physical attacks. By infiltrating ATM networks through seemingly innocuous devices like a Raspberry Pi, this group has not only circumvented traditional cybersecurity measures but also leveraged advanced tactics, such as backdooring and rootkit deployment, to maintain persistent access. The ramifications of such intrusions extend far beyond immediate financial theft; they threaten the integrity of financial systems, potentially eroding consumer trust, disrupting service accessibility, and inviting regulatory scrutiny. If other institutions become collateral damage in this escalating cyber conflict, the cascading effects could jeopardize stakeholder relationships, destabilize the market, and impose heavy financial burdens associated with remediation efforts, all while fostering an environment of fear and uncertainty among users reliant on secure transactional infrastructures.

Possible Action Plan

The swift response to cybersecurity breaches is paramount in safeguarding organizational integrity and financial stability.

Mitigation Steps:

  • Immediate Isolation: Disconnect compromised devices from the network.
  • Malware Analysis: Conduct a thorough examination of CAKETAP rootkit behavior.
  • Network Traffic Monitoring: Implement enhanced scrutiny of incoming and outgoing traffic for anomalous patterns.
  • Patch Management: Update all relevant software and firmware to seal exploitable vulnerabilities.
  • User Access Review: Reassess privileges and access rights for employees associated with the breach.
  • Incident Response Plan Activation: Engage the pre-established incident response protocol to structure and streamline remediation efforts.

NIST CSF Guidance:
The NIST Cybersecurity Framework emphasizes the necessity of resilience through continuous monitoring and assessment. Organizations should reference NIST SP 800-61, “Computer Security Incident Handling Guide,” for in-depth procedures on incident response and mitigation strategies post-breach.

Stay Ahead in Cybersecurity

Explore career growth and education via Careers & Learning, or dive into Compliance essentials.

Access world-class cyber research and guidance from IEEE.

Disclaimer: The information provided may not always be accurate or up to date. Please do your own research, as the cybersecurity landscape evolves rapidly. Intended for secondary references purposes only.

Cyberattacks-V1

Share.
Avatar photo

John Marcelli is a staff writer for the CISO Brief, with a passion for exploring and writing about the ever-evolving world of technology. From emerging trends to in-depth reviews of the latest gadgets, John stays at the forefront of innovation, delivering engaging content that informs and inspires readers. When he's not writing, he enjoys experimenting with new tech tools and diving into the digital landscape.

Related Posts

Comments are closed.