This media is not supported in your browser
VIEW IN TELEGRAM
🚨 ATM switch attack involving a Raspberry Pi, CAKETAP rootkit, and new TTPs uncovered.
Following a complex Incident Response operation, Group-IB attributed this sophisticated intrusion to threat actor UNC2891.
Key findings:
🔹 Attackers physically accessed the bank’s infrastructure to plant a Raspberry Pi, connecting it to the same switch as the ATM.
🔹 Their objective? Target the ATM switch server and deploy CAKETAP—a rootkit designed to spoof HSM authorization responses and enable fraudulent cash withdrawals.
🔹 Even after removing the device, attackers maintained persistence via a backdoor on the mail server, using TINYSHELL and Dynamic DNS for C2.
🔹 They leveraged an unpublished anti-forensics technique, now recognized as MITRE ATT&CK T1564.013, allowing them to remain hidden from standard detection tools.
👏 Kudos to the Mandiant team for their work on UNC2891.
Learn how it was uncovered and how to defend against it.
#CyberSecurity #LinuxSecurity #ATMSecurity
Following a complex Incident Response operation, Group-IB attributed this sophisticated intrusion to threat actor UNC2891.
Key findings:
🔹 Attackers physically accessed the bank’s infrastructure to plant a Raspberry Pi, connecting it to the same switch as the ATM.
🔹 Their objective? Target the ATM switch server and deploy CAKETAP—a rootkit designed to spoof HSM authorization responses and enable fraudulent cash withdrawals.
🔹 Even after removing the device, attackers maintained persistence via a backdoor on the mail server, using TINYSHELL and Dynamic DNS for C2.
🔹 They leveraged an unpublished anti-forensics technique, now recognized as MITRE ATT&CK T1564.013, allowing them to remain hidden from standard detection tools.
👏 Kudos to the Mandiant team for their work on UNC2891.
Learn how it was uncovered and how to defend against it.
#CyberSecurity #LinuxSecurity #ATMSecurity
❤12
🚨 New technical deep-dive: “Ghosts in / proc” 🚨
Attackers are no longer just hiding files, they are rewriting what the OS shows. Our new research demonstrates how adversaries manipulate Linux’s / proc filesystem to spoof process names and corrupt forensic timelines, effectively making malicious activity look benign.
Key Highlights:
🔹Malicious processes spoofing / proc/<pid>/cmdline so tools like ps and top report harmless names
🔹Timeline corruption via modified / proc/<pid>/stat start times processes can appear to start in the future
🔹When / proc is trusted in isolation, triage, timeline stitching, and attribution can all fail
🔹Full lab walkthrough, indicators, and practical mitigations included
🔗 Read the full analysis here.
#ThreatIntel #LinuxSecurity #DFIR #CyberSecurity #IncidentResponse
Attackers are no longer just hiding files, they are rewriting what the OS shows. Our new research demonstrates how adversaries manipulate Linux’s / proc filesystem to spoof process names and corrupt forensic timelines, effectively making malicious activity look benign.
Key Highlights:
🔹Malicious processes spoofing / proc/<pid>/cmdline so tools like ps and top report harmless names
🔹Timeline corruption via modified / proc/<pid>/stat start times processes can appear to start in the future
🔹When / proc is trusted in isolation, triage, timeline stitching, and attribution can all fail
🔹Full lab walkthrough, indicators, and practical mitigations included
🔗 Read the full analysis here.
#ThreatIntel #LinuxSecurity #DFIR #CyberSecurity #IncidentResponse
👍5🔥1🖕1