In search of riches, hackers plant 4G-enabled Raspberry Pi in bank network
- Thread starter JournalBot
- Start date
I just want to know what they are doing running an FTP server in 2025 (the service listening on port 21 in the screenshot)
Upvote
117
(121
/
-4)
infernal666
Ars Praefectus
You have to admire the sheer skill and tenacity these groups demonstrate, really wish they would find a different creative outlet though.
Upvote
165
(165
/
0)
Upvote
142
(142
/
0)
Well, on the one hand dealing with 802.1X is kind of a pain in the ass; but on the other hand just hoping that I'm not worth the trouble of someone actually motivated is hard to justify.
Upvote
70
(70
/
0)
All the security in the world always appears to fall to social engineering, this has the hallmarks of the classic "someone with a hi-vis vest and clipboard" that walked in unchallenged and deployed said RPI lol
Upvote
190
(192
/
-2)
I was always under the impression that banks whitelisted all connections on some networks as SOP. Apparently I'm wrong or they were able to somehow add the Pi to the whitelist.
It's not hard to do, and since you know your topology it should be even easier.
Because it had access to the monitoring server, it probably was installed on the data center side, not down next to an ATM/branch. That narrows the suspects down considerably.
One funny thing is that it just takes one bribe to get that in. I mean, if someone paid you $500k to plug in a random device in a restricted area would you do it? What about a million? Two?
It's not hard to do, and since you know your topology it should be even easier.
Because it had access to the monitoring server, it probably was installed on the data center side, not down next to an ATM/branch. That narrows the suspects down considerably.
One funny thing is that it just takes one bribe to get that in. I mean, if someone paid you $500k to plug in a random device in a restricted area would you do it? What about a million? Two?
Upvote
95
(95
/
0)
As do the hackers, probably. Maybe they’re trying to pay them off.
Upvote
31
(35
/
-4)
Screenshot looks like netstat output, but I guess "forensic tool" sounds better than "network utility installed by default in just about any *nix like system".
Upvote
126
(129
/
-3)
Modern lexicon is “allow list” and “deny list” not “whitelist” and “blacklist”
Upvote
-32
(105
/
-137)
They still speak in hushed whispers about what happened to the last person who got between The Business and a beloved legacy system.
Upvote
137
(138
/
-1)
If they can do these attacks then nation states can do far worse. It’s better to have a minor nuisance than major vulnerability go undetected. But yes, ultimately they should be paid for these exploits through legitimate means.
Upvote
23
(23
/
0)
Upvote
100
(100
/
0)
802.1x is how you put a stop to this.
People have trouble with 802.1x because certificates are equivalent to the Black Speech of Mordor, and because banks will be required to change the authentication credentials on a quasi-regular basis (device certificate renewal with EAP-TLS or EAP-TTLS, or a new password annually if you use PEAP-MSCHAPv2 or PEAP-PAP or something similar)
Upvote
93
(93
/
0)
That convenience store ATM uses a cell modem, but most bank operated ones don't. This was an unauthorized device using a 4G modem to bridge over their firewall.
I'll bet there's still a lot of unencrypted TN3270 traffic on bank internal networks.
Upvote
76
(76
/
0)
I'm pretty sure ATM is only being used in the "Automated Teller Machine" sense here, but it was rather disorienting to keep reading about the "ATM switching network" and not get it mixed up with the "Asynchronous Transfer Mode" sense.
Upvote
74
(75
/
-1)
Ran into a similar attempt early 2000’s.
Giant company I worked for leased a 15 story tower to other tenants, including a bank on the 1st floor.
We had IDFs on each floor above 6 (we occupied 6-15). Also had our switches shut down any port with an unknown MAC appearance.
Kept having ports go dark on 10th floor. Drove over, open the supposedly secure door on 10, and found a LinkSys router plugged into my switch. Someone had a keycard, and was apparently moving the router to a green port every few days.
Yikes….
Giant company I worked for leased a 15 story tower to other tenants, including a bank on the 1st floor.
We had IDFs on each floor above 6 (we occupied 6-15). Also had our switches shut down any port with an unknown MAC appearance.
Kept having ports go dark on 10th floor. Drove over, open the supposedly secure door on 10, and found a LinkSys router plugged into my switch. Someone had a keycard, and was apparently moving the router to a green port every few days.
Yikes….
Upvote
127
(127
/
0)
Banks are notorious for this kind of legacy tech. I wouldn’t be surprised if there was a COBOL job running for the past 30+ years that needs that FTP server to exist
Upvote
74
(77
/
-3)
That's just someone on the 10th floor with a fancy laptop and this shiny new thing called wifi.
Doesn't make it any more acceptable
Upvote
31
(31
/
0)
Make one wonder if it's someone with inside knowledge of bank security.
Then again, I understand cash-strapped North Korea is always looking for ways to get money.
Upvote
14
(14
/
0)
At an org I used to work for, heard from a manager that one IT admin got canned when the network admins found out he had put his own server in a network room to mine Bitcoin. This was happening around the same timeframe as your problem, so not as expensive as it would be now, but still a significant siphoning of company resources, not to mention possible security issues.
Upvote
41
(41
/
0)
Modern acceptance of older-than-dirt concepts of black and white dualism as being connected in any way to arbitrary racial labels is a deeply unhealthy pathology on about a million levels and very, very sad.
Upvote
41
(98
/
-57)
YetAnotherAnonymousAppellation
Ars Praefectus
I had some infrastructure dealings with financial institutions long ago and the number one thing I took away from it was that their interest in security vanished when the cost of implementing security exceeded the average amount lost to theft.
Upvote
42
(42
/
0)
Pretty much. Wasn't it a fairly major plot point that Sauron made a subtle error in specifying name constraints when issuing one of the nine rings of men, because qualified subordination is just simple like that, and ended up allowing Éowyn to completely invalidate the security assurances that were supposed to be inherent to the Witch-king of Angmar?
That's what always makes me jumpy about dealing with the things. The cryptic failures if you do something wrong are one thing; but the cryptic successes by people who aren't you if you do something wrong are just plain hard on the nerves.
Upvote
66
(67
/
-1)
It's not as if that's a new concept. Just look at how Ford treated the Pinto issues in the 70s - lawyers were deemed cheaper than engineering a fix.
Upvote
37
(38
/
-1)
...
You might be misreading too much into the analogy.
The Black Speech of Mordor is something that scares people.
So are certificates.
Upvote
58
(59
/
-1)
That's pretty much every business.
US banks took so long to switch to chip cards because they had switched to online authorization for all charges thanks to relatively cheap telecom. Being able to deny charges this way blocked enough fraud that they didn't think chip cards were worth it.
Outside the US, a lot of charges were done offline so the cards needed to be more secure.
Upvote
41
(41
/
0)
The lesson, kids, is if you're going to take a bribe from scumbags to plant their hacks, get the money up front.
Upvote
28
(28
/
0)
Those used to use cables too, sometimes progress goes backwards.
Upvote
6
(6
/
0)
Luckily the upcoming 45 day public cert lifetime limit is going to force vendors to make ACME support robust so that will reduce the friction in rolling out 802.1x. We're still running into some issues with the tools our cert vendor supplies but they're getting more robust basically in real time, I expect in a few years it'll work pretty smoothly.
Upvote
10
(10
/
0)