hackers

In search of riches, hackers plant 4G-enabled Raspberry Pi in bank network

ATM, banks, Biz & IT, hackers, Raspberry Pi, Security / Beth Washington / July 31, 2025

“One of the most unusual elements of this case was the attacker’s use of physical access to install a Raspberry Pi device,” Group-IB Senior Digital Forensics and Incident Response Specialist Nam Le Phuong wrote. “This device was connected directly to the same network switch as the ATM, effectively placing it inside the bank’s internal network. The Raspberry Pi was equipped with a 4G modem, allowing remote access over mobile data.”

To maintain persistence, UNC2891 also compromised a mail server because it had constant Internet connectivity. The Raspberry Pi and the mail server backdoor would then communicate by using the bank’s monitoring server as an intermediary. The monitoring server was chosen because it had access to almost every server within the data center.

The Network Monitoring Server as an intermediary between the Raspberry Pi and the Mail Server. Credit: Group-IB

As Group-IB was initially investigating the bank’s network, researchers noticed some unusual behaviors on the monitoring server, including an outbound beaconing signal every 10 minutes and repeated connection attempts to an unknown device. The researchers then used a forensic tool to analyze the communications. The tool identified the endpoints as a Raspberry Pi and the mail server but was unable to identify the process names responsible for the beaconing.

The forensic triage tool is unable to collect the relevant process name or ID associated with the socket. Credit: Group-IB

The researchers then captured the system memory as the beacons were sent. The review identified the process as lightdm, a process associated with an open source LightDM display manager. The process appeared to be legitimate, but the researchers found it suspicious because the LightDM binary was installed in an unusual location. After further investigation, the researchers discovered that the processes of the custom backdoor had been deliberately disguised in an attempt to throw researchers off the scent.

Phuong explained:

The backdoor process is deliberately obfuscated by the threat actor through the use of process masquerading. Specifically, the binary is named “lightdm”, mimicking the legitimate LightDM display manager commonly found on Linux systems. To enhance the deception, the process is executed with command-line arguments resembling legitimate parameters – for example,

lightdm –session child 11 19 — in an effort to evade detection and mislead forensic analysts during post-compromise investigations.

These backdoors were actively establishing connections to both the Raspberry Pi and the internal Mail Server.

As noted earlier, the processes were disguised using the Linux bind mount. Following that discovery, Group-IB added the technique to the MITRE ATT&CK framework as “T1564.013 – Hide Artifacts: Bind Mounts.”

Group-IB didn’t say where the compromised switching equipment was located or how attackers managed to plant the Raspberry Pi. The attack was detected and shut down before UNC2891 was able to achieve its final goal of infecting the ATM switching network with the CakeTap backdoor.

In search of riches, hackers plant 4G-enabled Raspberry Pi in bank network Read More »

Google finds custom backdoor being installed on SonicWall network devices

Biz & IT, hackers, Security, sonicwall, vulnerabilities / Mike M. / July 17, 2025

Researchers from the Google Threat Intelligence Group said that hackers are compromising SonicWall Secure Mobile Access (SMA) appliances, which sit at the edge of enterprise networks and manage and secure access by mobile devices.

The targeted devices are end of life, meaning they no longer receive regular updates for stability and security. Despite the status, many organizations continue to rely on them. That has left them prime targets by UNC6148, the name Google has given to the unknown hacking group.

“GTIG recommends that all organizations with SMA appliances perform analysis to determine if they have been compromised,” a report published Wednesday said, using the abbreviation for Google Threat Intelligence Group. “Organizations should acquire disk images for forensic analysis to avoid interference from the rootkit anti-forensic capabilities. Organizations may need to engage with SonicWall to capture disk images from physical appliances.”

Lacking specifics

Many key details remain unknown. For one thing, the attacks are exploiting leaked local administrator credentials on the targeted devices, and so far, no one knows how the credentials were obtained. It’s also not known what vulnerabilities UNC6148 is exploiting. It’s also unclear precisely what the attackers are doing after they take control of a device.

The lack of details is largely the result of the functioning on Overstep, the name of custom backdoor malware UNC6148 is installing after initial compromise of the devices. Overstep allows the attackers to selectively remove log entries, a technique that is hindering forensic investigation. Wednesday’s report also posits that the attackers may be armed with a zero-day exploit, meaning it targets a vulnerability that’s currently publicly unknown. Possible vulnerabilities UNC6148 may be exploiting include:

CVE-2021-20038: An unauthenticated remote code execution made possible by a memory corruption vulnerability.
CVE-2024-38475: An unauthenticated path traversal vulnerability in Apache HTTP Server, which is present in the SMA 100. It can be exploited to extract two separate SQLite databases that store user account credentials, session tokens, and seed values for generating one-time passwords.
CVE-2021-20035: An authenticated remote code execution vulnerability. Security firm Arctic Wolf and SonicWall reported in April that this vulnerability was under active exploitation.
CVE-2021-20039: An authenticated remote code execution vulnerability. There have been reports that this vulnerability was under active exploitation to install ransomware in 2024.
CVE-2025-32819: An authenticated file deletion vulnerability that can be exploited to cause a targeted device to revert the built-in administrator credentials to a password so that attackers can gain administrator access.

Google finds custom backdoor being installed on SonicWall network devices Read More »

Man gets 10 years for stealing $20M in nest eggs from 400 US home buyers

business email compromise, cybercrime, hackers, phishing, Policy, us housing / Mike M. / November 11, 2024

A Nigerian man living in the United Kingdom has been sentenced to 10 years for his role in a phishing scam that snatched more than $20 million from over 400 would-be home buyers in the US, including some savers who lost their entire nest eggs.

Late last week, the US Department of Justice confirmed that 33-year-old Babatunde Francis Ayeni pled guilty to conspiracy to commit wire fraud through “a sophisticated business email compromise scheme targeting real estate transactions” in the US.

To seize large down payments on homes, Ayeni and co-conspirators sent phishing emails to US title companies, real estate agents, and real estate attorneys. When unsuspecting employees clicked malicious attachments and links, a prompt appeared asking for login information that was then shared with the hackers.

Once the hackers were in, they could monitor their emails “for transactions where a buyer was scheduled to make a payment as part of a real estate transaction,” then swoop in to send wiring instructions to transfer funds to compromised accounts instead, the DOJ said. To help cover their tracks, co-conspirators then converted the money into Bitcoin on Coinbase.

The scam was seemingly uncovered after co-conspirators targeted a real estate title company in Gulf Shores, Alabama. More than half of the victims were unable to reverse the wire transactions. According to The Record, two victims who shared impact statements in court lost more than $114,000, including a man who “tried to buy his elderly father a home following a Parkinson’s diagnosis.”

Man gets 10 years for stealing $20M in nest eggs from 400 US home buyers Read More »

Who are the two major hackers Russia just received in a prisoner swap?

hackers, prisoner swap, prisoners, russia, russian hacking, Security / DJ Henderson / August 3, 2024

friends in high places —

Both men committed major financial crimes—and had powerful friends.

Nate Anderson – Aug 2, 2024 12: 14 am UTC

As part of today’s blockbuster prisoner swap between the US and Russia, which freed the journalist Evan Gershkovich and several Russian opposition figures, Russia received in return a motley collection of serious criminals, including an assassin who had executed an enemy of the Russian state in the middle of Berlin.

But the Russians also got two hackers, Vladislav Klyushin and Roman Seleznev, each of whom had been convicted of major financial crimes in the US. The US government said that Klyushin “stands convicted of the most significant hacking and trading scheme in American history, and one of the largest insider trading schemes ever prosecuted.” As for Seleznev, federal prosecutors said that he has “harmed more victims and caused more financial loss than perhaps any other defendant that has appeared before the court.”

What sort of hacker do you have to be to attract the interest of the Russian state in prisoner swaps like these? Clearly, it helps to have hacked widely and caused major damage to Russia’s enemies. By bringing these two men home, Russian leadership is sending a clear message to domestic hackers: We’ve got your back.

But it also helps to have political connections. To learn more about both men and their exploits, we read through court documents, letters, and government filings to shed a little more light on their crimes, connections, and family backgrounds.

Vladislav Klyushin

In court filings, Vladislav Klyushin claimed to be a stand-up guy, the kind of person who paid for acquaintances’ medical bills and local monastery repairs. He showed, various letters from friends suggested, “extraordinary compassion, generosity, and civic and charitable commitment.”

According to the US government, though, Klyushin made tens of millions of dollars betting for and against (“shorting”) US companies by using hacked, nonpublic information to make stock trades. He was arrested in 2021 after arriving in Switzerland on a private jet but before he could get into the helicopter that would have taken him to a planned Alps ski vacation.

Klyushin never met his father, he said, a man who drank “excessively” and then was killed during a car theft gone bad when Klyushin was 14. Klyushin’s mother was only 19 when she had him, and the family “occasionally had limited food and clothing.” Klyushin tried to help out by joining the workforce at 13, but he managed to graduate high school, college, and even graduate school, ending up with a doctorate.

After various jobs, including a stint at the Moscow State Linguistic University, Klyushin took a job at M-13, a Moscow IT company that did penetration testing and “Advanced Persistent Threat emulation”—that is, M-13 could be hired to act just like a group of hackers, probing corporate or government cybersecurity. Oddly enough for an infosec company, M-13 also offered investment advice; give them your money and fantastic returns were promised, with M-13 keeping 60 percent of any profits it made.

This was not mere puffery, either. According to the US government, the M-13 team “had an improbable win rate of 68 percent” on its stock trades, and it “generated phenomenal, eight-figure returns,” turning $9 million into $100 million (“a return of more than 900 percent during a period in which the broader stock market returned just over 25 percent,” said the government).

But Klyushin and his associates were not stock-picking wizards. Instead, they had begun hacking Donnelly Financial and Toppan Merrill, two “filing agents” that many large companies use to submit quarterly and annual earning reports to the Securities and Exchange Commission. These reports were uploaded to the filing agents’ systems several days before their public release. All the M-13 team had to do was liberate the files early, read through them, and buy up stocks of companies that had overperformed while shorting stocks of companies that had underperformed. When the reports went public a few days later and the markets responded to them, the M-13 team made huge returns. Klyushin himself earned several tens of millions of dollars between 2018 and 2020.

To avoid consequences for this flagrantly illegal behavior, all Klyushin had to do was stay in Russia—or, at least, not visit or transit through a country that might extradite him to the US—and he could keep buying up yachts, cars, and real estate. That’s because Russia—along with China and Iran, the largest three sources of hackers who attack US targets—doesn’t do much to stop attacks directed against US interests. As the US government notes, none of these governments “respond to grand jury subpoenas and rarely if ever provide the kinds of forensic information that helps to identify cybercriminals. Nor do they extradite their nationals, leaving the government to rely on the chance that an indicted defendant will travel.”

But when you have tens of millions of dollars, you often want to spend it abroad, so Klyushin did travel—and got nabbed upon his arrival in Switzerland. He was extradited to the US in 2021, was found guilty at trial, and was sentenced to nine years in prison and the forfeiture of $34 million. It is unclear if the US government was able to get its hands on any of that money, which was stashed in bank accounts around the world.

Klyushin’s fellow conspirators have wisely stayed in Russia, so with his release as part of today’s prisoner swap, all are likely to enjoy their ill-gotten gains without further consequence. One of Klyushin’s colleagues at M-13, Ivan Ermakov, is said to be a “former Russian military intelligence officer” who used to run disinformation programs “targeting international anti-doping agencies, sporting federations, and anti-doping officials.”

Who are the two major hackers Russia just received in a prisoner swap? Read More »

Hackers discover how to reprogram NES Tetris from within the game

coding, gaming, hackers, high scores, reprogram, Tetris / DJ Henderson / May 7, 2024

Building a better Tetris —

New method could help high-score chasers trying to avoid game-ending crashes.

Kyle Orland – May 6, 2024 10: 16 pm UTC

Enlarge / I can see the code that controls the Tetri-verse!

Aurich Lawson

Earlier this year, we shared the story of how a classic NES Tetris player hit the game’s “kill screen” for the first time, activating a crash after an incredible 40-minute, 1,511-line performance. Now, some players are using that kill screen—and some complicated memory manipulation it enables—to code new behaviors into versions of Tetris running on unmodified hardware and cartridges.

We’ve covered similar “arbitrary code execution” glitches in games like Super Mario World, Paper Mario, and The Legend of Zelda: Ocarina of Time in the past. And the basic method for introducing outside code into NES Tetris has been publicly theorized since at least 2021 when players were investigating the game’s decompiled code (HydrantDude, who has gone deep on Tetris crashes in the past, also says the community has long had a privately known method for how to take full control of Tetris‘ RAM).

Displaced Gamers explains how to reprogram NES Tetris within the game.

But a recent video from Displaced Gamers takes the idea from private theory to public execution, going into painstaking detail on how to get NES Tetris to start reading the game’s high score tables as machine code instructions.

Fun with controller ports

Taking over a copy of NES Tetris is possible mostly due to the specific way the game crashes. Without going into too much detail, a crash in NES Tetris happens when the game’s score handler takes too long to calculate a new score between frames, which can happen after level 155. When this delay occurs, a portion of the control code gets interrupted by the new frame-writing routine, causing it to jump to an unintended portion of the game’s RAM to look for the next instruction.

Usually, this unexpected interrupt leads the code to jump to address the very beginning of RAM, where garbage data gets read as code and often leads to a quick crash. But players can manipulate this jump thanks to a little-known vagary in how Tetris handles potential inputs when running on the Japanese version of the console, the Famicom.

Enlarge / The Famicom expansion port that is key to making this hack work.

Unlike the American Nintendo Entertainment System, the Japanese Famicom featured two controllers hard-wired to the unit. Players who wanted to use third-party controllers could plug them in through an expansion port on the front of the system. The Tetris game code reads the inputs from this “extra” controller port, which can include two additional standard NES controllers through the use of an adapter (this is true even though the Famicom got a completely different version of Tetris from Bullet-Proof Software).

As it happens, the area of RAM that Tetris uses to process this extra controller input is also used for the memory location of that jump routine we discussed earlier. Thus, when that jump routine gets interrupted by a crash, that RAM will be holding data representing the buttons being pushed on those controllers. This gives players a potential way to control precisely where the game code goes after the crash is triggered.

Coding in the high-score table

For Displaced Gamers’ jump-control method, the player has to hold down “up” on the third controller and right, left, and down on the fourth controller (that latter combination requires some controller fiddling to allow for simultaneous left and right directional input). Doing so sends the jump code to an area of RAM that holds the names and scores for the game’s high score listing, giving an even larger surface of RAM that can be manipulated directly by the player.

By putting “(G” in the targeted portion of the B-Type high score table, we can force the game to jump to another area of the high score table, where it will start reading the names and scores sequentially as what Displaced Gamers calls “bare metal” code, with the letters and numbers representing opcodes for the NES CPU.

This very specific name and score combination is actually read as code in Displaced Gamers' proof of concept. — Enlarge / This very specific name and score combination is actually read as code in Displaced Gamers’ proof of concept.

Unfortunately, there are only 43 possible symbols that can be used in the name entry area and 10 different digits that can be part of a high score. That means only a small portion of the NES’s available opcode instructions can be “coded” into the high score table using the available attack surface.

Despite these restrictions, Displaced Gamers was able to code a short proof-of-concept code snippet that can be translated into high-score table data (A name of '))"-P)', and a second-place score of 8,575 in the A-Type game factors prominently, in case you’re wondering). This simple routine puts two zeroes in the top digits of the game’s score, lowering the score processing time that would otherwise cause a crash (though the score will eventually reach the “danger zone” for a crash again, with continued play).

Of course, the lack of a battery-backed save system means hackers need to achieve these high scores manually (and enter these complicated names) every time they power up Tetris on a stock NES. The limited space in the high score table also doesn’t leave much room for direct coding of complex programs on top of Tetris‘ actual code. But there are ways around this limitation; HydrantDude writes of a specific set of high-score names and numbers that “build[s] another bootstrapper which builds another bootstrapper that grants full control over all of RAM.”

With that kind of full control, a top-level player could theoretically recode NES Tetris to patch out the crash bugs altogether. That could be extremely helpful for players who are struggling to make it past level 255, where the game actually loops back to the tranquility of Level 0. In the meantime, I guess you could always just follow the lead of Super Mario World speedrunners and transform Tetris into Flappy Bird.

Hackers discover how to reprogram NES Tetris from within the game Read More »

A startup allegedly “hacked the world.” Then came the censorship—and now the backlash.

Biz & IT, hackers, Security, syndication / DJ Henderson / February 2, 2024

hacker-for-hire —

Anti-censorship voices are working to highlight reports of one Indian company’s hacker past.

Andy Greenberg, WIRED.com – Feb 2, 2024 7: 26 pm UTC

Hacker-for-hire firms like NSO Group and Hacking Team have become notorious for enabling their customers to spy on vulnerable members of civil society. But as far back as a decade ago in India, a startup called Appin Technology and its subsidiaries allegedly played a similar cyber-mercenary role while attracting far less attention. Over the past two years, a collection of people with direct and indirect links to that company have been working to keep it that way, using a campaign of legal threats to silence publishers and anyone else reporting on Appin Technology’s alleged hacking past. Now, a loose coalition of anti-censorship voices is working to make that strategy backfire.

For months, lawyers and executives with ties to Appin Technology and to a newer organization that shares part of its name, called the Association of Appin Training Centers, have used lawsuits and legal threats to carry out an aggressive censorship campaign across the globe. These efforts have demanded that more than a dozen publications amend or fully remove references to the original Appin Technology’s alleged illegal hacking or, in some cases, mentions of that company’s co-founder, Rajat Khare. Most prominently, a lawsuit against Reuters brought by the Association of Appin Training Centers resulted in a stunning order from a Delhi court: It demanded that Reuters take down its article based on a blockbuster investigation into Appin Technology that had detailed its alleged targeting and spying on opposition leaders, corporate competitors, lawyers, and wealthy individuals on behalf of customers worldwide. Reuters “temporarily” removed its article in compliance with that injunction and is fighting the order in Indian court.

As Appin Training Centers has sought to enforce that same order against a slew of other news outlets, however, resistance is building. Earlier this week, the digital rights group the Electronic Frontier Foundation (EFF) sent a response—published here—pushing back against Appin Training Centers’ legal threats on behalf of media organizations caught in this crossfire, including the tech blog Techdirt and the investigative news nonprofit MuckRock.

No media outlet has claimed that Appin Training Centers—a group that describes itself as an educational firm run in part by former franchisees of the original Appin Technology, which reportedly ceased its alleged hacking operations more than a decade ago—has been involved in any illegal hacking. In December, however, Appin Training Centers sent emails to Techdirt and MuckRock demanding they too take down all content related to allegations that Appin Technology previously engaged in widespread cyberspying operations, citing the court order against Reuters.

Techdirt, Appin Training Centers argued, fell under that injunction by writing about Reuters’ story and the takedown order targeting it. So had MuckRock, the plaintiffs claimed, which hosted some of the documents that Reuters had cited in its story and uploaded to MuckRock’s DocumentCloud service. In the response sent on their behalf, the EFF states that the two media organizations are refusing to comply, arguing that the Indian court’s injunction “is in no way the global takedown order your correspondence represents it to be.” It also cites an American law called the SPEECH Act that deems any foreign court’s libel ruling that violates the First Amendment unenforceable in the US.

“It’s not a good state for a free press when one company can, around the world, disappear news articles,” Michael Morisy, the CEO and co-founder of MuckRock, tells WIRED. “That’s something that fundamentally we need to push back against.”

Techdirt founder Mike Masnick says that, beyond defeating the censorship of the Appin Technology story, he hopes their public response to that censorship effort will ultimately bring even more attention to the group’s past. In fact, 19 years ago, Masnick coined the term “the Streisand effect” to describe a situation in which someone’s attempt to hide information results in its broader exposure—exactly the situation he hopes to help create in this case. “The suppression of accurate reporting is problematic,” says Masnick. “When it happens, it deserves to be called out, and there should be more attention paid to those trying to silence it.”

The anti-secrecy nonprofit Distributed Denial of Secrets (DDoSecrets) has also joined the effort to spark that Streisand Effect, “uncensoring” Reuters’ story on the original Appin Technology as part of a new initiative it calls the Greenhouse Project. DDoSecrets cofounder Emma Best says the name comes from its intention to foster a “warming effect”—the opposite of the “chilling effect” used to describe the self-censorship created by legal threats. “It sends a signal to would-be censors, telling them that their success may be fleeting and limited,” Best says. “And it assures other journalists that their work can survive.”

Neither Appin Training Centers nor Rajat Khare responded to WIRED’s request for comment, nor did Reuters.

The fight to expose the original Appin Technology’s alleged hacking history began to reach a head in November of 2022, when the Association for Appin Training Centers sued Reuters based only on its reporters’ unsolicited messages to Appin Training Centers’ employees and students. The company’s legal complaint, filed in India’s judicial system, accused Reuters not only of defamation, but “mental harassment, stalking, sexual misconduct and trauma.”

Nearly a full year later, Reuters nonetheless published its article, “How an Indian Startup Hacked the World.” The judge in the case initially sided with Appin Training Centers, writing that the article could have a “devastating effect on the general students population of India.” He quickly ordered an injunction stating that Appin Training Centers can demand Reuters take down their claims about Appin Technology.

A startup allegedly “hacked the world.” Then came the censorship—and now the backlash. Read More »