At Raxis, we’re always keeping an eye on real-world attacks so that we are on top of current exploits that may affect our customers if we don’t find them so they can remediate first. Recently we read about a failed bank ATM heist that included planting a raspberry pi device on the bank’s network. This is very relevant to me because I lead the Raxis Transporter initiative that allows our customers to receive full cloud/internal network and wireless network penetration tests remotely.
Here I’d like to chat about the power of a malicious actor successfully planting such a device and also how we use them to proactively find weaknesses that organizations can fix.
The Raspberry Pi Network Implant
Attempting to compromise a bank’s ATM infrastructure, the hacking group UNC2891 deployed a Raspberry Pi with a 4G modem as a physical network implant. They connected it to an ATM switch to establish persistent access over a cellular link, even after other activities had been detected. This allowed lateral movement to critical systems, using a rootkit intended to spoof authorizations and enable unauthorized withdrawals. While investigators discovered the plot and took corrective action, this cautionary tale exemplifies the stealthy utility of network implants in real-world attacks.
Raxis routinely employs these same techniques in penetration testing and red team exercises to simulate adversarial tactics, uncover vulnerabilities, and strengthen defenses before malicious actors strike. Raxis also uses Raspberry Pis on internal network assessments to facilitate persistent reverse connections and enable numerous other C2 solutions when called for during an assessment.
The Pentester’s Swiss Army Knife
The Raspberry Pi shines in multiple threat models due to its affordability, compact size, and Linux compatibility, making it ideal for “dropbox” implants, devices physically placed in target networks to provide remote access during engagements. Running distributions like Kali Linux, a Pi can host an arsenal of pentesting tools, from scanning tools to exploitation frameworks, all while blending into the environment as innocuous hardware.
The Raspberry Pi is incredibly versatile. It can be readily extended beyond its native capabilities using commercially available hardware, enhancing stealth and multi-vector persistence. The Pi’s four USB ports accommodate specialized dongles such as 802.11 wireless adapters, additional ethernet connections, Bluetooth radios, LoRa nodes, and even cellular modems for direct, long range remote access.
The Raspberry Pi has few substitutes as one of the best tools to exploit physical security lapses, such as unsecured server rooms or unused network ports in office areas. Penetration testing, augmented with network implants, often reveals blind spots that may get missed in a unipolar assessment.
