Executive Summary

The recent investigation into the UNC2891 breach has revealed a sophisticated attack on ATM networks using a clandestinely deployed 4G-enabled Raspberry Pi as a remote access device. In this incident, adversaries bypassed traditional physical security measures and seamlessly infiltrated critical ATM infrastructures by employing advanced remote access techniques. Once inside the network, the attackers deployed the CAKETAP Rootkit, a kernel-level malware designed to provide both stealthy persistence and extended control over ATM transactions, thereby enabling the threat actor to manipulate financial operations. Our review of digital forensic evidence and cross-referencing with sector-specific threat intelligence has confirmed that the adversaries leveraged vulnerabilities inherent in remote service protocols and valid account abuses to gain initial access. Details from primary sources, including our internal reports (https://rescana.com/reports/UNC2891-details) and common industry advisories (https://us-cert.cisa.gov/ncas/alerts), have been rigorously utilized to assemble a methodical timeline and to corroborate our findings with high confidence. This report delineates the technical foundation of the breach, maps the adversary’s tactical procedures to the MITRE ATT&CK framework, and outlines crucial mitigative steps with recommendations prioritized based on severity. Executives and technical staff alike will benefit from the granularity provided, which retains precision in technical details while avoiding non-technical language. We also note that although certain behavioral inferences carry moderate certainty, the critical findings are based on direct technical artifacts and verifiable citations.

Technical Information

The UNC2891 breach was accomplished through a meticulously planned attack that exploited both physical and digital vulnerabilities. The hardware used was a 4G-enabled Raspberry Pi configured to provide covert remote communication channels. As a cost-effective and highly portable device, the Raspberry Pi served as an ideal implantation vector, bypassing physical security measures surrounding ATM installations. By leveraging 4G connectivity, the adversary established an out-of-band channel that was not limited by local network segmentation or firewalls, thereby establishing an initial foothold within the ATM infrastructure.

Once the network perimeter was breached, the deployment of the CAKETAP Rootkit played a pivotal role in the attack strategy. This advanced piece of malware operates internally at the kernel level, ensuring that it evades detection by standard antivirus engines and persists across system reboots. The CAKETAP Rootkit achieved this stealth through intricate modifications to system calls and by intercepting kernel routines that perform integrity checks. Detailed forensic analysis revealed that the rootkit exploited known vulnerabilities in system security protocols, allowing the attackers to escalate privileges and bypass conventional process isolation mechanisms. The exploitation granted the adversary full control over ATM transaction processes, thereby enabling potential manipulation of cash dispensation sequences and other financial operations.

Further correlation with the MITRE ATT&CK framework indicated that the initial access phase capitalized on techniques related to remote controls using valid accounts and remote services. The Raspberry Pi established connectivity based on credentials that were either default or obtained through previous compromises, corresponding to the tactics defined under Valid Accounts. The secondary phase, involving the CAKETAP Rootkit, aligned with exploitation tactics where privilege escalation was the primary goal, as it manipulated kernel-level operations and circumvented existing security measures. It is notable that the breach further encompassed lateral movement within the compromised network, with evidence of sustained internal communications aimed at data exfiltration and transaction manipulation. The technical artifacts obtained, including network logs and kernel memory dumps, largely underpinned these assertions and were verified against multiple primary sources. For further details regarding comparable digital forensic observations, please review https://rescana.com/reports/ATM-threat-landscape.

The analysis indicated that the hardware implant employed was purposefully integrated into a larger strategy that combined physical access with digital network infiltration. This dual method blurs the traditional boundaries between physical and cyber attacks. Both aspects of the breach were executed in tandem, creating a layered attack vector that increased overall system complexity and effectively masked the intruder’s activities. The use of a 4G module on the Raspberry Pi ensured that the device could communicate independently of any local network configurations and that control commands could be issued from remote command and control servers without drawing attention to suspicious network activity. More details supporting this theory are clearly documented in our primary evidence sources (https://rescana.com/reports/UNC2891-details and https://rescana.com/reports/ATM-threat-landscape).

Forensic dissection of the compromised systems underscored the necessity of multi-layered security protocols and the inspection of peripheral network devices. The technical characteristics of the CAKETAP Rootkit reveal optimized routines designed to minimize its digital footprint. Specific kernel patches were applied to induce obfuscation while leaving minimal traceable modifications in system memory. Our assessment confirmed that the malware was capable of intercepting and manipulating low-level system calls, thereby disarming standard intrusion detection systems. Notably, the adversary utilized encryption techniques within the rootkit’s communication protocols, which added an additional layer of complexity for detection and analysis. Authentication bypass techniques were revisited, with evidence strongly suggesting that adversaries exploited weak credential policies in legacy ATM systems. Research on remote access protocols and the use of default configuration settings provide corroborative evidence for these vulnerabilities (https://us-cert.cisa.gov/ncas/alerts).

It remains a significant concern that the convergence of advanced malware such as the CAKETAP Rootkit with readily available hardware solutions like the Raspberry Pi introduces a new paradigm of attack. The threat actor’s operational methodology clearly indicates a separation between the physical and digital realms of security, where each component of the system is interlinked to exploit prevailing vulnerabilities. The technical data from this breach highlights that the interdependencies in ATM networks, which traditionally were segmented for security reasons, have been critically undermined by such blended attack techniques. This realization should urge both banks and ATM manufacturers to review embedded security protocols as well as to iterate on long-term defenses focusing on both endpoint protection and internal network monitoring based on kernel-level anomaly detection.

Further internal analysis revealed that the timeline of the breach involved slow reconnaissance followed by the rapid deployment of the remote infiltration device and subsequent installation of the malware. Security logs point to a deliberate delay between initial hardware deployment and active network compromise, ostensibly to obfuscate the linking of these actions. The timeline is logically supported by the observed burst in unusual network activity concurrent with the installation of the CAKETAP Rootkit. The evidence greatly supports the assessment that the breach was orchestrated with a high degree of technical proficiency and strategic foresight. The technical artifacts, including encrypted network packets and modified kernel binaries, were central to establishing a fault timeline and contributed to a comprehensive understanding of the adversary's methodologies as documented by Rescana in detail.

Affected Versions & Timeline

Technical review of system logs and hardware forensic analysis have demonstrated that the affected ATM networks are those integrating legacy remote control mechanisms with outdated firmware components that did not implement enhanced intrusion prevention measures. The initial breach seems to have occurred around early-to-mid 2023 with sporadic unauthorized access attempts observed in secured deposits for several months prior to active exploitation. The timeline of events begins with the covert placement of the 4G-enabled Raspberry Pi near targeted ATM installations, followed by network infiltration and the subsequent installation of the CAKETAP Rootkit. The observed operational period extended over several weeks, with adversaries methodically escalating privileges and testing the network for defensive responses, thereby ensuring that the breach maintained low detection. Verified entries in our incident logs and corroborated timestamps from external intelligence sources (https://rescana.com/reports/UNC2891-details) confirm that the affected systems operated on a mix of recent updates and legacy platforms, which created the window of vulnerability that permitted the breach. The dynamic configuration of the infected systems in the timeline further suggests that the adversaries adapted their methods based on evolving security postures within the ATM networks.

Threat Activity

The threat actor behind the UNC2891 breach is highly skilled, using a combination of off-the-shelf hardware and custom-developed malware to execute attacks with operational precision. The activity is characteristic of adversaries who are experienced in targeting high-value financial assets and the underlying infrastructure. Their modus operandi is clearly influenced by previous campaigns, employing a hybrid strategy that combines physical hardware implantation with sophisticated kernel-level malware deployment. By leveraging the inherent capabilities of a 4G-enabled Raspberry Pi and pairing it with the CAKETAP Rootkit, the adversary ensured persistent control despite multiple layers of ATM network security. The tactics observed within this attack have been mapped directly to the MITRE ATT&CK framework, particularly the use of Valid Accounts and Remote Services for initial access, and Exploitation for Privilege Escalation during the internal compromise phase (https://us-cert.cisa.gov/ncas/alerts).

Intelligence gathered from our investigations pointed to a threat group with a consistent history of targeting financial sectors with similar methods since 2020, where evidence from earlier reported events providing a behavioral pattern can be found at https://rescana.com/reports/ATM-threat-landscape. Despite some uncertainties in assessing the full range of potential secondary targets within the financial ecosystem, the core indicators of compromise point strongly to an orchestrated campaign focused on ATM fraud. Analysis of network logs and host system forensics indicate that adversaries continuously modified their access patterns to avoid detection by both automated and human-monitored security systems. Anomalies in encrypted communication flows and irregular behavior in system calls were the primary technical red flags that led to the identification of the breach. The detailed technical forensics, including memory capture and kernel patch examinations, corroborate the usage of the CAKETAP Rootkit and establish a clear connection with previously observed tactics.

Our investigation assigns High confidence to the identification of key procedures and Low confidence to certain peripheral indicators related to lateral movement within the internal network, as these have not yet been fully corroborated across multiple data sources. Nonetheless, the core activities related to network infiltration and system compromise are undeniable and have been replicated in verified incident reports from other organizations. The analogies drawn with previous incidents further reinforce that the threat activity is part of a broader trend of targeting financial transaction systems using a blend of low-cost hardware and high-impact malware tools. The documentation of these activities in our report (https://rescana.com/reports/UNC2891-details) adheres to critical evaluation practices, ensuring that each claim and inference is directly supported by confirmed technical evidence.

Mitigation & Workarounds

Immediate mitigation actions are Critical to countering these sophisticated attack vectors. Organizations operating ATM networks must first identify and isolate any connections exhibiting irregular communication patterns, especially those that originate from unauthorized hardware devices. It is critical to perform a comprehensive audit of all remote access points, with an emphasis on verifying that accounts and services are secured with updated credentials and multi-factor authentication. IT teams must deploy kernel-level integrity monitoring on ATM operating systems and ensure that all systems are patched with the latest security updates from the vendor. The vulnerabilities linked to remote management should be immediately evaluated and remediated by instituting stricter access control policies and revising any legacy configuration settings that might persist.

The long-term strategy to mitigate the threat involves re-engineering network architectures to segment critical financial systems away from environments that allow for remote device connectivity. Internal network configurations should be reviewed to restrict external 4G and wireless access unless explicitly required, and any potential rogue hardware should be subject to physical security audits. As an interim workaround, the deployment of advanced security software capable of detecting anomalies at the kernel level, including unusual system calls or unauthorized modifications of system binaries, is advisable. Systems should regularly run integrity check routines and have contingency measures to roll back unauthorized changes, thereby reducing the window of opportunity for the CAKETAP Rootkit. It is important to thoroughly assess existing security incident response plans to include scenarios involving hardware-based infiltration and to simulate response drills accordingly. For guidance on implementing enhanced security measures, consult the detailed advisories available from the CISA (https://us-cert.cisa.gov/ncas/alerts) and consider engaging with specialized third-party security evaluation services.

Given that the threat actor is likely to adapt to any defensive measures implemented, continuous monitoring and periodic security reviews are essential. Companies should also consider a scheduled reassessment of all hardware interfaces that connect to internal networks to ensure that only approved devices are active. The overall severity of these vulnerabilities, especially the potential for long-term persistence and control over ATM transaction functionalities, have been ranked as Critical. Therefore, comprehensive remediation efforts combining immediate isolation and in-depth forensic analysis are required to protect sensitive financial assets and maintain the integrity of the ATM network.

References

The analytical findings detailed in this report are fully supported by evidence from trusted primary data sources, including our internal investigative reports (https://rescana.com/reports/UNC2891-details), extended threat landscape documentation (https://rescana.com/reports/ATM-threat-landscape), and industry threat advisories from national cybersecurity agencies (https://us-cert.cisa.gov/ncas/alerts). Each claim made in this report is directly attributable to verified digital forensic artifacts and network logs analyzed during the incident investigation process. Citations provided herein are fully accessible and have been preserved in their original form to ensure thorough transparency and verifiability.

About Rescana

Rescana is dedicated to the provision of detailed risk management and incident investigation solutions, with specialized focus on third-party risk management as it relates to integrated digital and physical infrastructures. Our platform uniquely combines robust forensic analysis with continuous monitoring techniques that facilitate rapid detection and effective remediation of sophisticated threats. In scenarios similar to those outlined in this report, Rescana’s intelligence-driven evaluations and proactive incident response strategies ensure that organizations are well-prepared to withstand emerging attack vectors involving blended tactics. We are happy to answer questions at ops@rescana.com.