Hackers plant 4G Raspberry Pi on bank network in failed ATM heist

The UNC2891 hacking group (LightBasin) conducted a sophisticated hybrid attack on a bank using a 4G-equipped Raspberry Pi physically connected to the ATM network switch to bypass security defenses and create an invisible backdoor channel. The threat actors, who gained physical access either independently or through a rogue employee, used the device to host the TinyShell backdoor with outbound command-and-control capabilities via mobile data, allowing them to move laterally to the Network Monitoring Server and Mail Server while maintaining persistence. The attack employed advanced anti-forensics techniques including disguising backdoors as legitimate ‘lightdm’ processes and mounting alternative filesystems to obscure malicious process metadata from forensics tools, with the ultimate goal of deploying their Caketap rootkit to spoof ATM authorization for fraudulent cash withdrawals, though this objective was prevented before completion.​​​​​​​​​​​​​​​​