In Search of Riches, Hackers Plant 4G-Enabled Raspberry Pi In Bank Network (arstechnica.com) 54
Hackers from the group UNC2891 attempted a high-tech bank heist by physically planting a 4G-enabled Raspberry Pi inside a bank's ATM network, using advanced malware hidden with a never-before-seen Linux bind mount technique to evade detection. "The trick allowed the malware to operate similarly to a rootkit, which uses advanced techniques to hide itself from the operating system it runs on," reports Ars Technica. Although the plot was uncovered before the hackers could hijack the ATM switching server, the tactic showcased a new level of sophistication in cyber-physical attacks on financial institutions. The security firm Group-IB, which detailed the attack in a report on Wednesday, didn't say where the compromised switching equipment was located or how attackers managed to plant the Raspberry Pi. Ars Technica reports: To maintain persistence, UNC2891 also compromised a mail server because it had constant Internet connectivity. The Raspberry Pi and the mail server backdoor would then communicate by using the bank's monitoring server as an intermediary. The monitoring server was chosen because it had access to almost every server within the data center. As Group-IB was initially investigating the bank's network, researchers noticed some unusual behaviors on the monitoring server, including an outbound beaconing signal every 10 minutes and repeated connection attempts to an unknown device. The researchers then used a forensic tool to analyze the communications. The tool identified the endpoints as a Raspberry Pi and the mail server but was unable to identify the process names responsible for the beaconing.
The researchers then captured the system memory as the beacons were sent. The review identified the process as lightdm, a process associated with an open source LightDM display manager. The process appeared to be legitimate, but the researchers found it suspicious because the LightDM binary was installed in an unusual location. After further investigation, the researchers discovered that the processes of the custom backdoor had been deliberately disguised in an attempt to throw researchers off the scent.
[Group-IB Senior Digital Forensics and Incident Response Specialist Nam Le Phuong] explained: "The backdoor process is deliberately obfuscated by the threat actor through the use of process masquerading. Specifically, the binary is named "lightdm", mimicking the legitimate LightDM display manager commonly found on Linux systems. To enhance the deception, the process is executed with command-line arguments resembling legitimate parameters -- for example, lightdm -- session child 11 19 -- in an effort to evade detection and mislead forensic analysts during post-compromise investigations. These backdoors were actively establishing connections to both the Raspberry Pi and the internal Mail Server."
The researchers then captured the system memory as the beacons were sent. The review identified the process as lightdm, a process associated with an open source LightDM display manager. The process appeared to be legitimate, but the researchers found it suspicious because the LightDM binary was installed in an unusual location. After further investigation, the researchers discovered that the processes of the custom backdoor had been deliberately disguised in an attempt to throw researchers off the scent.
[Group-IB Senior Digital Forensics and Incident Response Specialist Nam Le Phuong] explained: "The backdoor process is deliberately obfuscated by the threat actor through the use of process masquerading. Specifically, the binary is named "lightdm", mimicking the legitimate LightDM display manager commonly found on Linux systems. To enhance the deception, the process is executed with command-line arguments resembling legitimate parameters -- for example, lightdm -- session child 11 19 -- in an effort to evade detection and mislead forensic analysts during post-compromise investigations. These backdoors were actively establishing connections to both the Raspberry Pi and the internal Mail Server."
display manager on an server why pick something th (Score:3)
display manager on an server why pick something that will stand out like that.
Re:display manager on an server why pick something (Score:4, Insightful)
Probably because this was actually a low-sophistication attack and the attackers barely knew what they were doing.
Re: (Score:1)
If the malware is doing process masquerading, it's likely choosing a process semi-randomly so long as the PID is below some threshold and the process lifetime is long running.
The malware was clearly analyzing the system over enough time to record command line parameters with everything else.
It could have just been bad luck.
Had it chosen a kernel worker process or a piece of systemd it likely would have been harder to find.
Lastly, don't forget the fact the bank security team never did find the process proact
Re: (Score:3)
Lastly, don't forget the fact the bank security team never did find the process proactively.
This was unauthorized hardware running the attacker's choice of OS. It was not part of the bank's normal system, running their usual security tools, or with bank-managed accounts -- detecting unauthorized network traffic is a proactive detection mechanism for things like that. On the other hand, why they don't disable and lock down ports on their network switches is a good question.
Re: (Score:2)
why they don't disable and lock down ports on their network switches is a good question.
One problem is that Ethernet is an insecure protocol. So even if they did hypothetically down all unused ports on their switch any skilled hacker could technically just cut one of the Cat6 cables attached to a copper port somewhere midspan, and then splice in jumpers to and from a device which would pretend to be a transparent bridge - Clone the MAC address of the server attached to the port and create a fake bridge.
Re: (Score:2)
Re: (Score:2)
No hub, because
switch(config)#feature port-security
switch(config)#ip dhcp snooping vlan 100
switch(config)#ip dhcp snooping verify mac-address
switch(config)#ip arp inspection vlan 100
switch(config)#ip arp inspection validate src-mac dst-mac ip
switch(config)#ip source binding 192.168.44.17 001a.22e4.7761 vlan 100 interface ethernet 1/3
switch(config)#int range Ethernet1/0 - 20
speed 1000
duplex full
switchport access vlan 100
Re: (Score:2)
Or just attach a hub to the switch.
I have an old Netgear DS104 dual speed hub for exactly that sort of thing. It was very useful in the past for diagnosing network issues, but there are no Gigabit hubs that I am aware of.
How did they plant (Score:3)
Re: (Score:3)
The Raspberry Pi was connected to the same network switch used by the bank’s ATM system...
Probably simple social engineering. Show up in an outfit that looks like you're an electrician or something else... or just pay a bank employee to let them in and look the other way...
Re: (Score:3)
In an office environment, particularly one with a dress code, coveralls are an invisibility cloak that grants access to any wiring closet.
For conference rooms and such, suit, tie, and a laptop grant a weaker but often effective camouflage.
Re: (Score:3)
In an office environment, particularly one with a dress code, coveralls are an invisibility cloak that grants access to any wiring closet.
People say that a lot, but where I work, utility closets are locked. People need to (depending on the closet) know a combination, have the right badge, or have a physical key. And company policy is to escort people without badges to security.
Re: (Score:3)
People think that utility closets are locked. However, many electrical cabinets have standardized keys, and after a while, every seasoned electrician has one. They have installed many closets / cabinets and each comes with two keys ...
Your security people are on the ball if the cabinets are all individually keyed with random keys, and there is an organized storage location somewhere for the keys. Ideally the cabinets have special locks that are a little more complicated than the average cabinet lock, wh
Re: (Score:2)
Many can be trivially opened using a screwdriver to push the latch back. Some can be slipped with a credit card or laminated ID.
Re: (Score:2)
People think that utility closets are locked. However, many electrical cabinets have standardized keys
I'm confused.. Utility closets and Electrical cabinets are not the same thing. A Utility closet itself should be locked with a standard full sized wooden or steel security door using standard door locks; possibly with an electronic strike and keycard access just like any other door to a secure area. Doesn't matter how the Electrical cabinets are keyed, since you need utility closet access before you
Re: (Score:2)
The electrical cabinets are cheap wafer locks, all similarly keyed but a simple jiggler will open them.
That's why you're supposed to put those electrical cabinets behind in a locked room, usually called things like "Electrical Room". There you can put a real lock on the door - either a standard lock, or an electronic lock requiring a keycard.
From my experience, the open electrical cabinets employees have access to typically aren't locked - they may have a lock, but it's universally unlocked because they're
Re: (Score:2)
It sounds like your employer is unusually diligent about it.
mystery process image is privacy-edited (Score:3)
... And the other thing that would scream to me was the output of their forensic tool which looks to me like the output of netstat basically shows a raspberry_pi host. I'd be WTF, why is there a pi on our internal network? Not why is lightdm sending a packet on the pi.
lol thing that screams at me is that 'forensic tool' image has obviously had the IPs removed for privacy. "[redacted]", "[raspberry_pi]", and "[mail_server]" all are clearly placeholders put in for publication are not 3x actual hostnames the researchers found on the bank network.
Re: (Score:2)
They should be treating that as information known by the hackers of the world (because the hackers no doubt would have possibly shared allt that info) and enforcing an IP address change, and just publish the true IPs.
Re: (Score:2)
How did the hackers get physical access to the bank to plant the pi?
Many heists have inside help.
Re: (Score:3)
Wear a high-vis vest, have a hardhat dangling from your belt, a lanyard with some id, and carry a clipboard.
Nod to security as you walk past.
Re: (Score:3)
My take would be inadequate physical security. When I do IT Security audits, I ask things like how cable connections between different levels of a building get secured. The answers I have gotten rank from "armored conduit" and VPN to "we do not know" and "Just regular cabling, why do you ask?".
My take is there were exposed cables or an accessible switch-box or electrical cabinet and no adequate security for those data lines. Also remember that some networking people do not understand how a VLAN works (it is
Re: (Score:2)
Overall, there probably was not a lot of actual sophistication in this attack, even if the clearly sensationalist reporting tries to give a different impression.
I fully agree, and by trying to describe the supposed sophistication of the attack the article confirms your point as well. A breathless description, how they used a well known process name "and even the command line args looked legit!!!1!eleven!!", makes more fun of the hackers than pay them respect.
One other thing this bank should look at: why was it so easy for these hackers to own the mail server? This should be one of the best defended servers in the whole network, and the article makes it sound like t
Re: (Score:2)
One other thing this bank should look at: why was it so easy for these hackers to own the mail server? This should be one of the best defended servers in the whole network, and the article makes it sound like that was the first bank server to fall flat on its face ...
Indeed. Mail servers need to interact with anybody (anybody not on an IP blacklist, that is). Hence they need to be hardened as well as possible.
Re: (Score:2)
Re: (Score:2)
Indeed. But I think the focus is so much on logical security, that many people overlook what it actually all rests on. Loosing sight of the forest because of all the new trees, essentially.
Re: (Score:2)
The answers I have gotten rank from "armored conduit" and VPN to "we do not know" and "Just regular cabling, why do you ask?".
Unfortunately they don't seem to know the right way to do it. Which is to have the cables run through a dedicated shaft that is just barely wide enough for cable bundles to fit through with the chase inside a dedicated room on each floor. That dedicated room is also the dedicated network room for the floor, and a Large dragon that eats humans is to be placed in the room befor
Re: (Score:2)
This is the real world, not "Mission Impossible".
Re: (Score:2)
Because they watched Mr Robot and hence knew it was normal for extra Raspberry Pi's to be laying around.
Re: (Score:2)
The article glosses over the elephant in the room. How did the hackers get physical access to the bank to plant the pi.
A pen tester story goes like this: one side of a door is locked while the other side unlocks with motion detection. So the pen tester slides a blow-up sex doll under the door and starts inflating it until the door opens. I'm not saying this is what happened, yet it remains a possibility.
Re: (Score:1)
Re: (Score:2)
LOL - and here I have just been using an upside down can of air-duster..
Re: (Score:2)
The article glosses over the elephant in the room. How did the hackers get physical access to the bank to plant the pi.
Long time ago I was working in the offices of a major bank as a support tech. We had some boutique subsidiary operations run by young men I would charitably describe as "clowns". One day I got a call to their office to fix their "internet connectivity". After some digging and questioning I found out that the Young Immortals running this operation had got tired of the limitations of their
Re: (Score:2)
You said 'a long time ago' so you could be forgiven for the lack of NAC etc, but no dhcp/helper and snooping?
Even with access to wire closet, no DSL installer should have been able to get off the ground in the first place, not in the last 25 years anyway.
Re: (Score:2)
Even with access to wire closet,
Well yes but it happened anyway. From what I could see the install was not working (the reason the idiots had raised a ticket with the support desk) since there was no actual accessible route from the cowboy's desktops to the modem/router in the wiring cabinet and AFAIK see there wasn't a phone line connection either (this was in the days of ADSL). I still unplugged the router's Ethernet cable from the bank's switches and then reported the situation to my boss. Next time I
Watch the Hackers documentary from 1995 (Score:2)
It shows exactly how the HaX0r Cereal Killer did it.
I am disappointed. (Score:3)
"Disappointed" means feeling sad, discouraged, or let down because something didn't happen as expected or hoped for. It can also refer to being inadequately equipped or appointed. The word originates from the French "desappointer," meaning to fail to keep an appointment, according to Vocabulary.com.
Seems like the script kitties and hackers have no appreciation for how hard people worked so they can get their nut off. They don't even have to learn how a transistor works, nor what a for loop is, they just buy shit off of the Tor network, and abuse other people.
Re: (Score:2)
How do you know they're not grateful and awed that they can scam other people? You need not be disappointed on that count.
But in point of fact, this attack doesn't sound at all like it was implemented by an amateur.
Re: (Score:2)
Re: (Score:2)
If you think professionals have ethics then you've never worked a professional job.
Re: (Score:2)
An ethics of one.
Re: (Score:2)
A professional is paid, an amateur is not.
Absolutely nothing to do with ethics.
A professional is less likely to have ethics because money is their primary motivator, whereas an amateur may have more altruistic motivations.
Re: (Score:3)
Seems like the script kitties
The phrase is "script kiddies", meaning young guys who know how to execute a script but don't understand how it works.
"Script kitties" is a funny visual, though. Thanks for that :-)
Re: (Score:2)
Seems like the script kitties
Meow. Script kiddies bro. Be wary of using words you have only heard.
And that is why you authenticate and encrypt (Score:2)
Even in networks you trust. Then something like this is blatantly obvious and even simple network management catches it.
Damn I! Do you know how much planning (Score:2)
Damn I! Do you know how long and how much planning was involved!?!?!?!?
Straight out of a tv show (Score:2)
In the series, Mr. Robot, Rami Malek uses social engineering (and plot holes galore) to gain physical access to a document security company and attaches a Raspberry pie to the internal network and uses it to wipe all data for Evil Corp at that location and in coordination with the backup site in China.
Makes one wonder if these folks saw it and thought, "We can do that."
Re: (Score:2)
Just started watching this show last week. The best screen writers research the subject matter instead of pulling stupid stuff out of their ass because it would look cool on screen. My guess is that they spent a lot of time at DEFCON and other hacker events so the idea likely has been around for a while. The implementation details are new information.
Re: (Score:2)
It goes downhill in season 2. I'm debating if I want to continue.
Also, the entire Steel Mountain portion has so many plot holes it makes swiss cheese look like a solid wall.
Ah like MS-DOS JOIN and SUBST eh! (Score:2)
Re: (Score:2)
That brings me back, we discovered that you could send a malformed IPX/SPX packet to any computer on the network and it would instantly reboot when the network stack crashed. And so DIE.EXE was born and was used on unsuspecting targets during the weekly and very unofficial beer and snipes [wikipedia.org] tournament at the office.