Search This Blog

Powered by Blogger.

Blog Archive

Labels

About Me

Showing posts with label Group IB. Show all posts

Hackers Use 4G-Connected Raspberry Pi to Breach Bank’s ATM Network

 





A cybercriminal group has used a surprising method to infiltrate a bank’s internal systems, by planting a tiny Raspberry Pi computer inside the bank’s network. The attackers reportedly used the device to gain access to critical parts of the bank’s infrastructure, including systems that control ATM transactions.

The incident was reported by cybersecurity firm Group-IB, which called the approach “unprecedented.” The attackers managed to bypass all external cybersecurity defenses by physically placing the small computer inside the bank’s premises and connecting it to the same switch that handles ATM traffic. This gave them direct access to the bank’s internal communications.

The Raspberry Pi was fitted with a 4G modem, which allowed the hackers to control it remotely over mobile networks, meaning they didn’t need to be anywhere near the bank while carrying out their attack.

The main target was the bank’s ATM switching server — a system responsible for processing ATM transactions, and its hardware security module (HSM), which stores sensitive information like encryption keys and passwords. By gaining access to these systems, the attackers hoped to manipulate transaction flows and extract funds undetected.

The hacking group behind the attack, known in cybersecurity circles as UNC2891, has been active since at least 2017. They are known for targeting financial institutions and using custom-built malware, especially on Linux, Unix, and Solaris systems.

In this latest attack, the group also compromised a mail server within the bank to maintain long-term access. This mail server had continuous internet connectivity and acted as a bridge between the Raspberry Pi and the rest of the bank’s network. A monitoring server, which had access to most internal systems, was used to route communications between the devices.

During their investigation, Group-IB researchers noticed strange behavior from the monitoring server. It was sending signals every 10 minutes to unknown devices. Further analysis revealed two hidden endpoints, the planted Raspberry Pi and the compromised mail server.

The attackers had gone to great lengths to stay hidden. They disguised their malware by giving it the name “lightdm,” which is the name of a legitimate Linux display manager. They even mimicked normal command-line behavior to avoid raising suspicion during forensic reviews.

To make detection harder, the hackers used a lesser-known technique called a Linux bind mount, typically used in system administration, but now added to the MITRE ATT&CK cybersecurity database under “T1564.013.” This allowed the malware to function like a rootkit — a type of software that hides its presence from both users and security tools.

This incident is your call to be hyperaware of how attackers are becoming more creative, blending physical access with advanced software tactics to infiltrate secure environments.

GoldDigger Malware: The Covert Culprit Behind Vanishing Funds

 


Several Android banking apps have been observed to be vulnerable to a new malware strain capable of stealing money from them, which has been observed making the rounds. Group-IB recently discovered an Android Trojan that appears to target more than 50 Vietnamese banking apps, e-wallet services, and cryptocurrency wallets, with its primary objective being the theft of funds. 

Developed by the threat intelligence division at Group-IB, this Trojan named "GoldDigger" has been around since at least June 2023, and its digital footprints have been tracked since then. Two separate apps were used to deliver malware – one that impersonated a Vietnamese government portal and another one that impersonated a company in the energy sector.  

Researchers do not yet know the exact attack vector the attackers used, but speculation is that they may have reached out to victims using social media channels, email messages, and other common ways of communicating with them.  

In addition, they were using these channels to redirect victims to at least a dozen fake Google Play websites, where they presented them with the opportunity to install the apps on their smartphones. The app will then do what it normally does once it is installed on the device: ask for “Accessibility permissions” and then proceed.  

There is probably no better way to identify a malicious app than if it asks for excessive permissions - that is the most obvious way to do so. To get sensitive user information, such as passwords, GoldDigger will need to be granted some permissions by the victim to dig it out. Once it has found any of the 51 Vietnamese financial institutions' apps e-wallet apps or cryptocurrency wallet apps, it will then search for any of these apps on its own.  

The GoldDigger application will be able to detect and extract the login information for the accounts it is scanning for. This is essentially granting the attackers unrestricted access to the financial accounts it is scanning for. The researchers went on to explain that Virbox Protector is part of the feature set that they feel makes GoldDigger unique, a piece of integrated software that acts as an obfuscation and encryption system integrated into the program.  

In general, Virbox Protector is a legitimate application, however here, in this case, it has been used for nefarious purposes, leading to the tasks of cybersecurity researchers becoming a lot more challenging.  It is impossible to think exactly how many people have fallen for this scam and lost their money as a result. 

Still, to be on the safe side it is always best to download applications only from legitimate sources and to always be suspicious when a link or attachment is received through mail. Malware Targeting Android Devices in The Future GoldDigger is characterized by its use of Virbox Protector, a software program which specializes in obfuscating and encrypting data in an advanced manner. This is what sets GoldDigger apart from its competitors.  

To enhance the evasion of standard fraud detection mechanisms, malware developers have taken an inventive step by making it difficult for cybersecurity experts to decipher and understand their malevolent codes, allowing them to evade standard fraud detection systems. Group-IB has the Fraud Protection suite that can detect GoldDigger's presence, perhaps for more reasons than one.   

57% of All Digital Crimes in 2021 Were Scams Says Group IB

 

Group-IB, headquartered in Dubai, U.A.E.,  a prominent name in the world of cybersecurity –has recently shared its analysis of the most widespread cyber threat in the world 'scams'.

As per the analysis, 57% of all cyber scams are financially motivated cybercrime. Phishing attacks accounted for 18% of cybercrimes, while malware infections and reputational attacks were 25%. As the scam industry is becoming more advanced, it now involves more and more parties divided into hierarchical groups. 

“A strong trend that we observed in 2021 was no-frills scammers merging into groups controlled by highly technically skilled villains,” says Antony Dolgalev, Deputy Head of Digital Risk Protection at Group-IB. 

At present, such groups have increased by 390, which is 3.5 times more than the last year, when the record of active groups was close to 110. Alongside, the brand-impersonating scam has also jumped high. 

The Group-IB analysts reported an increase of 150% in the Middle East and African region. This number is marginally high in comparison with the APAC region where such crimes are reported at 83% and in Europe, it is 89%. 

Due to SaaS (Scam-as-a-Service), in 2021 the number of cybercriminals in one scam gang increased 10 times compared to 2020, now climbing upto 100. 

“Group-IB’s AI-based platform identified somewhere between 75 and 110 scam groups last year, and the average number of cybercriminals per group was 10 members. The average number of scam links per group reached 100. SaaS helped grow not only fraudsters’ appetites but also the industry itself. In 2021 our DRP system tracked 350 groups, reaching up to 390 scam groups at the peak time. The number of cybercriminals in fraudulent groups has increased dramatically, averaging between 100 and 1,000 per group. In turn, their infrastructure has grown proportionally: the average number of scam links per group was between 2,000 and 3,000”, said Antony Dolgalev, Deputy Head of Digital Risk Protection at Group-IB. 

Following the research, analysts reported that traffic has become the circulatory system of scams. The number of websites that uses illegal traffic to lure victims into fraudulent schemes has increased by 1.5 times. With the advancement of technology, cyber gangs have also raised the sophistication level of scam techniques. One such technique, 'scam attack automation' is becoming more and more popular amongst fraudsters. Through this scheme hackers attract specific groups of victims to increase conversion rates, social media is the fastest doorway to establish contact between scammers and their potential victims.