Hacker being sneaky

According to Group-IB, which discovered the intrusion while investigating suspicious activity on the network, the goal of the attack was to spoof ATM authorization and perform fraudulent withdrawals of cash.

While LightBasin failed at that, the incident is a rare example of an advanced hybrid (physical+remote access) attack that employed several anti-forensics techniques to maintain a high degree of stealthiness.

The particular group is notorious for attacking banking systems, as Mandiant highlighted in a 2022 report presenting the then-new Unix kernel rootkit "Caketap," created for running on Oracle Solaris systems used in the financial sector.

Caketap manipulates Payment Hardware Security Module (HSM) responses, specifically the card verification messages, to authorize fraudulent transactions that the bank's systems would otherwise block.

Active since 2016, LightBasin has also successfully attacked telecommunication systems for years, using the TinyShell open-source backdoor to move traffic between networks and route it through specific mobile stations.

Raspberry $i

In the latest case, LightBasin gained physical access to a bank branch either on their own or by bribing a rogue employee who helped them to install a Raspberry Pi with a 4G modem on the same network switch as the ATM.

The device's outbound internet connectivity capabilities enabled the attackers to maintain persistent remote access to the bank's internal network while bypassing perimeter firewalls.

The Raspberry Pi hosted the TinyShell backdoor which the attacker leveraged for establishing an outbound command-and-control (C2) channel via mobile data.

In the subsequent phases of the attack, the threat actors moved laterally to the Network Monitoring Server, which had extensive connectivity to the bank's data center.

The LightBasin attack
Overview of the LightBasin attack
Source: Group-IB

From there, the attacker also pivoted to the Mail Server, which had direct internet access, and enabled persistence even when the Raspberry Pi was discovered and removed.

The backdoors used in lateral movement were named as 'lightdm' to mimic the legitimate LightDM display manager found on Linux systems, hence appearing inoccuous.

Another element that contributed to the attack's high degree of stealth was LightBasin mounting alternative filesystems like tmpfs and ext4 over the '/proc/[pid]' paths of the malicious processes, essentially obscuring the related metadata from forensics tools.

Based on Group-IB's investigation, the Network Monitoring Server inside the bank network was found beaconing every 600 seconds to the Raspberry Pi on port 929, indicating that the device served as a pivot host.

The researchers say the attackers' ultimate goal was to deploy the Caketap rootkit, but that plan was foiled before it could materialize.

Wiz

Cloud Detection & Response for Dummies

Contain emerging threats in real time - before they impact your business.

Learn how cloud detection and response (CDR) gives security teams the edge they need in this practical, no-nonsense guide.

Related Articles:

Employee gets $920 for credentials used in $140 million bank heist

BitoPro exchange links Lazarus hackers to $11 million crypto heist

Instagram ads mimicking BMO, EQ Bank are finance scams