• 𝕸𝖔𝖘𝖘@infosec.pub
    link
    fedilink
    English
    arrow-up
    25
    arrow-down
    1
    ·
    13時間前

    UNC2891 also used Linux bind mounts to hide its backdoor processes, which, at the time, had not been documented in public threat reports, Group-IB said.

    The technique is now recognized by MITRE’s ATT&CK framework as T1564.013.

    Holy crap. They discovered, and successfully implemented a novel technique. That’s impressive af

  • Optional@lemmy.world
    link
    fedilink
    English
    arrow-up
    37
    arrow-down
    1
    ·
    16時間前

    The backdoor, for example, appeared to be the LightDM display manager often used by Linux systems, demonstrating the group’s skillset, which the researchers said spanned Linux, Unix, and Oracle Solaris environments.

    The backdoor was the display manager. Well goddamn.

    • FauxLiving@lemmy.world
      link
      fedilink
      English
      arrow-up
      26
      arrow-down
      1
      ·
      14時間前

      The criminals, or the people they paid to carry out the physical attack, connected a Raspberry Pi to a bank’s network switch, the same one hooked up to the ATM that was subsequently raided.

      They’re kind of skipping over an important detail here.

      Sure the technical details are interesting, but it’s a bit like discussing the alloys of the tumblers of the safe deposit box after the team has unexplainably bypassed the main safe door…

      • SoftestSapphic@lemmy.world
        link
        fedilink
        English
        arrow-up
        13
        ·
        edit-2
        13時間前

        Yeah that implies physical access.

        Like it takes a ceritain security level to even get into rooms that have those switches.

        It was probably some IT worker.

        Hope they never get caught lol

  • baduhai@sopuli.xyz
    link
    fedilink
    English
    arrow-up
    51
    arrow-down
    4
    ·
    19時間前

    Cybercrooks

    I fuckin love these dumbass names they give to hackers.

  • Pika@sh.itjust.works
    link
    fedilink
    English
    arrow-up
    14
    ·
    16時間前

    honestly, pretty poor security here. I can’t say much cause I don’t have inter-device restrictions either… but I’m also not a bank that handles money.

    There’s no reason a random device should have been able to interface with any of the other devices tbh, I’m guessing the switch wasn’t smart so didn’t support Mac filtering or port disabling cause that should have not been a valid attack vector.

    • ExcessShiv@lemmy.dbzer0.com
      link
      fedilink
      English
      arrow-up
      6
      ·
      13時間前

      I just work a pretty standard engineering job at a large company (basically regular office work, not a critical industry like power or pharma), and any MAC that isn’t approved by IT is simply not a allowed to interface with anything whatsoever. It’s insane that a bank has this loose IT security.

      • Pika@sh.itjust.works
        link
        fedilink
        English
        arrow-up
        2
        ·
        13時間前

        , Agreed. Like, I’m not surprised that it was allowed to interface with the ATM because at that layer, I think the jump would have been from the switch to the ATM(although the ATM should habe not accepted the connection imo). So it would have never gone through any security. But it blows my mind that it was allowed to access a mail server as part of the routing, And even more so that it was allowed to go from that mail server to the outside world to establish a second route into the establishment. Like, how did it never hit any type of security or blocker anywhere in that process?

        • ExcessShiv@lemmy.dbzer0.com
          link
          fedilink
          English
          arrow-up
          2
          ·
          edit-2
          4時間前

          Even at that layer it should require site specific knowledge to gain access to the network, knowledge like specific IP ranges, netmask and VLAN, that they really shouldn’t have. This bank managed to mess up literally every single step of the IT security chain, it’s almost impressive.