Recent analysis from Group-IB reveals that this sophisticated operation has compromised dozens of financial institutions since 2017, spotlighting urgent gaps in both physical and digital security measures.
UNC2891’s innovation lies not just in malware, but in how they fuse physical access with cyber tools.
Investigators discovered that the group physically installed Raspberry Pi computers, credit-card-sized devices known for their versatility and affordability, directly inside bank networks, often near ATM transaction switches.
Equipped with 4G modems, these covert gateways provided hackers with real-time, undetected backdoor access, effectively bypassing banks’ traditional perimeter defenses.
This bold tactic underscores a crucial lesson: in the cybercrime landscape, physical access remains just as critical as digital hygiene.
The smallest, simplest devices can open the gates to multimillion-dollar thefts if they slip past physical security checks.
UNC2891 couples its physical exploits with deep expertise in Linux and Unix environments. Researchers traced at least six custom malware families, including CAKETAP, SLAPSTICK, and TINYSHELL.
These tools allow attackers to monitor, intercept, and manipulate ATM transaction flows on the fly, all while evading detection.
Their operational security is formidable, leveraging anti-forensics measures like Linux bind mount abuse to avoid leaving traces and enable stealthy lateral movement within compromised bank systems.
Remarkably, these efforts appear to have allowed UNC2891 to remain undetected for as long as seven years, an eternity in cybersecurity terms.
Beyond digital compromise, UNC2891’s blueprint incorporates a full-scale money-mule network. The group recruits intermediaries via Telegram and even Google Ads, directing them to specific ATMs and supplying cloned cards.
These mules physically withdraw stolen funds, completing a criminal circuit that functions as a modern cybercrime ecosystem rather than an isolated hacking incident.
| CVE-ID | Malware Family | Affected Platform | Impact | CVSS Score | Exploit Prerequisites |
|---|---|---|---|---|---|
| CVE-2019-10649 | TINYSHELL | Linux/Unix | Remote Code Execution | 8.8 | Network access, credentials |
| CVE-2021-3156 | CAKETAP | Linux/Unix | Privilege Escalation | 7.8 | Shell access |
| CVE-2021-4034 | SLAPSTICK | Linux (Polkit) | Local Privilege Escalation | 7.8 | Local user on system |
ATM networks are increasingly targeted as “weakest links” in banking security. The UNC2891 case highlights that overlooked physical vulnerabilities easily undermine substantial investments in digital security.
Rigorous physical asset monitoring and a multilayered defense strategy that addresses both network and hardware security are essential to counter hybrid threats posed by groups like UNC2891.
Find this Story Interesting! Follow us on Google News, LinkedIn and X to Get More Instant Updates
The post UNC2891 Hackers Using Cloned Cards and Raspberry Pi to Steal Cash from ATMs appeared first on Cyber Security News.
The Kobo Remote is small and lightweight, but large enough to be comfortable to hold.…
From left: Randi Weingarten, Steve Bannon, and Ralph Nader. | Image: Cath Virginia / The…
It’s another great month for new book releases, with a slew of fantastic stories from…
Pokémon Pokopia — currently the highest-rated Pokémon game of all time — is almost here.…
Will Powers, the public face of Crimson Desert in the west, has hit out at…
Next week's annual celebration of Super Mario will be marked by the return of three…
This website uses cookies.