Today, we’re thrilled to sit down with Dominic Jainy, a seasoned IT professional with deep expertise in artificial intelligence, machine learning, and blockchain, who has a keen interest in how emerging technologies intersect with cybersecurity. In this interview, we dive into a chilling case of a hidden backdoor discovered in an ATM network through a Raspberry Pi device. Dominic sheds light on the sophisticated tactics used by attackers, from physical breaches to stealthy malware, and explores the broader implications for financial infrastructure security. We’ll discuss how the intrusion unfolded, the clever tricks employed to evade detection, and what this means for the future of defending against such advanced threats.
Can you walk us through how attackers managed to physically breach the ATM network and connect a Raspberry Pi to a shared network switch?
It’s a stark reminder of how physical security is often the weakest link. In this case, the attackers, identified as UNC2891, gained access to a network switch that was connected to an ATM system. They physically attached a Raspberry Pi—a small, cheap, and easily concealable device—to the switch. What’s particularly alarming is that there were likely gaps in physical security protocols, such as unsecured server rooms or inadequate monitoring of hardware access. Without strict controls like locked enclosures, regular inspections, or even basic CCTV coverage, it’s not hard for someone with malicious intent to plug in a rogue device and blend it into the environment.
What specific role did the Raspberry Pi play in enabling this attack, especially with its 4G modem?
The Raspberry Pi was essentially the attackers’ gateway into the bank’s internal network. Equipped with a 4G modem, it allowed them to connect remotely over mobile data, completely sidestepping the bank’s perimeter firewall. This meant they didn’t need to rely on traditional network entry points that might be monitored or logged. Instead, they had a direct, persistent line of communication to the device, which acted as a bridge into the broader system. It’s a clever and low-cost way to maintain access without tripping alarms that might detect unusual inbound traffic.
Can you explain the custom backdoor called TINYSHELL and how it helped the attackers maintain control?
TINYSHELL was a bespoke piece of malware designed for stealth and persistence. It established outbound connections using dynamic DNS domains, which are notoriously hard to track because they can change frequently and mask the true location of the command-and-control servers. This allowed the attackers to communicate with their infrastructure without being easily blocked or traced. What’s more, TINYSHELL was built to operate discreetly, avoiding obvious signs of malicious activity that might show up in routine scans or logs, making it a real challenge for initial investigations to even spot it.
How did the attackers disguise their malware as a legitimate system process, and why was this so effective?
They pulled off a deceptive trick by naming their malicious processes “lightdm,” which is a legitimate Linux display manager. At first glance, it looks like a normal system component, so it wouldn’t raise immediate red flags during a quick check. They ran these fake processes from odd locations like /tmp and /var/snap/.snapd/, which aren’t typical spots for system binaries. By using Linux bind mounts, they could hide the true nature of these files and processes from standard forensic tools. It’s a clever abuse of system features—most admins wouldn’t think to look twice at something that appears so mundane.
What was the ultimate objective of UNC2891 in targeting the ATM switching server?
Their endgame was financial gain through fraudulent ATM withdrawals. They aimed to compromise the ATM switching server and deploy a rootkit called CAKETAP. This rootkit was designed to spoof authorization responses from hardware security modules, essentially tricking the system into approving transactions that shouldn’t have been allowed. If successful, they could have orchestrated large-scale cash-outs across multiple ATMs without triggering any alerts. It’s a sophisticated approach that shows a deep understanding of banking infrastructure and its weak points.
How did the attackers exploit the bank’s own internal systems to maintain access and move within the network?
They were incredibly resourceful in turning the bank’s own tools against it. For instance, they used the internal mail server as a secondary access point, likely to relay commands or exfiltrate data in a way that blended into normal traffic. Additionally, they leveraged the network monitoring server, which had connections to nearly every system in the data center. This gave them a perfect pivot point for lateral movement, allowing them to explore and exploit other parts of the environment without drawing attention. It’s a classic tactic—use trusted systems to hide malicious activity.
During the investigation, periodic beaconing was detected every 600 seconds. Can you unpack what that means and why it’s significant?
Beaconing is essentially a heartbeat signal that malware sends back to its command-and-control server to say, “I’m still here, waiting for instructions.” In this case, the beaconing happened every 600 seconds—about every 10 minutes—which is frequent enough to maintain a connection but spaced out enough to avoid looking like constant, suspicious traffic. It’s significant because it shows the attackers were focused on persistence. Even during idle states, this regular check-in ensured they could regain control or issue commands at any time. It also made detection trickier since there were no obvious malicious processes running during initial triage.
What is your forecast for the future of attacks on financial infrastructure, given the evolving tactics seen in this case?
I think we’re going to see more hybrid attacks that combine physical and digital elements, much like this one. The use of devices like Raspberry Pi for network intrusion shows how accessible and effective low-cost hardware can be for cybercriminals. We’ll likely see an increase in stealth techniques, such as abusing obscure system features or hiding malware in memory rather than on disk. Financial institutions will need to double down on both physical security and advanced detection tools, like behavioral analysis and memory forensics, to catch these threats early. The cat-and-mouse game between attackers and defenders is only going to get more complex as technology evolves.