Network Security
system security Linux network
system security Linux network The romanticized image of the digital nomad – a laptop on a sun-drenched balcony – rarely accounts for the actual friction of maintaining a professional development environment on the move. . The friction is amplified with Linux. We are looking for a setup that respects our kernel configurations, handles volatile network handovers, and maintains a strict security posture without the hand-holding of a consumer-grade OS – so, put simply, more than just a laptop and a sunny deck. The hardware is...
May 26, 2026
Server Securityopen-source Linux administration
open-source Linux administration Cron has existed in Unix and Linux environments for decades, handling backups, cleanup scripts, patching jobs, log rotation, monitoring tasks, and other maintenance work that administrators do not want to run manually. Most Linux servers rely on it constantly, which is exactly why attackers continue abusing it for persistence after a system has already been compromised. . Persistence through cron is not complicated. Attackers do not need a rootkit or advanced malware framework to maintain...
May 25, 2026
Vendors/Productssecurity breach linux
security breach linux A major internal repository breach at GitHub has exposed a critical and overlooked blind spot in Linux supply chain security. Kernel exploits, exposed SSH services, weak firewall rules, and vulnerable daemons dominated the Linux threat model for years, and in many environments, they still matter. But recent supply-chain incidents involving GitHub ecosystems, npm packages, and malicious developer tooling point somewhere else entirely: the developer workstation. . The breach matters because...
May 21, 2026
Security Trends access control multi-tenant
access control multi-tenant Linux administrators often face an ugly choice in the cloud: prioritize convenience and cost-efficiency by sharing infrastructure, or sacrifice those benefits for the sake of total isolation. Most modern Linux workloads don't live on their own private servers anymore. They live in shared environments like Kubernetes clusters, where multiple teams and services run side-by-side. It sounds efficient, and it usually is. . But cloud isolation isn't as ironclad as it looks on the diagram. If you...
May 21, 2026
Vendors/Productsincident response cloud security
incident response cloud security Managed Extended Detection and Response (MXDR) has become one of the most sought-after security services in the enterprise market — and with good reason. It promises the holy grail: broad visibility across endpoints, network, cloud, email, and identity, combined with the 24/7 human expertise most organizations simply cannot build in-house. . However, the rapid growth of the market has produced a wide range of providers whose capabilities vary considerably beneath the surface. Choosing the...
May 19, 2026
Refine news
X Clear Filters
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Loading...
Explore Latest Linux Security news
We found 16 articles for you...
83
security advisorymalwarebreachUNC2891: Banking Heists with Linux Malware Exploiting Physical Access
UNC2891 has been working its way through gaps in ATM security and broader banking security by slipping small hardware implants into places most teams assume are locked down. Investigators found Raspberry Pi systems sitting near ATM transaction switches, quietly feeding access back to the operators while Linux tooling handled the heavier work inside the network. The group paired that access with cloned cards and a mule network that turned compromised infrastructure into predictable cashouts. . The whole operation shows how easily a determined crew can turn physical access and an overlooked embedded device into long-term leverage inside a financial environment that otherwise looks hardened on paper. How Did UNC2891 Breach ATM Security Using Hardware Implants and Linux Malware? Investigators traced the initial access point to a series of Raspberry Pi boards tucked into network paths that should never see unvetted hardware. Each device sat close to the ATM transaction switch, which gave the operators a clean line into systems that handle the core transaction flow. A small 4G modem handled the outbound channel, letting the attackers reach those boards without touching the bank’s perimeter or dealing with its change controls. Once inside, the group leaned on familiar Linux and Unix tooling. CAKETAP used CVE-2021-3156 to climb privileges on older hosts that had not fully cycled through patching. SLAPSTICK exploited CVE-2021-4034 through Polkit to reach the same goal on better-maintained systems. TINYSHELL kept things simple by giving the operators a lightweight remote shell that blended into normal process lists. None of these tools was complex, but they were quiet and reliable. The more interesting part came from the way UNC2891 relied on bind mounts to mask activity. By shifting sensitive paths into controlled views, they hid directories, logs, and even some of the tooling from routine inspections. It is the kind of trick that slips past teams that rely heavily on perimeter sensors andassume internal hosts are stable. With control of the transaction switch and the surrounding infrastructure, the group moved from reconnaissance to monetization. Cloned cards were produced using data from the compromised environment, and mule crews handled the withdrawals across several countries. The hardware implants and the Linux malware stack gave them a foothold that survived audits for years because nothing looked obviously broken in the banking security stack. Banking Security Risks and Real-World Campaign Activity By the time forensic teams pieced the campaign together, it was clear UNC2891 had been active far longer than anyone assumed. Several banks in Southeast Asia reported activity dating back to 2017 , which means the group operated through multiple hardware refresh cycles and at least one core-network redesign. That kind of persistence tells you the operators understood how ATM networks are built and where the weak seams sit between on-prem systems and switching infrastructure. The affected systems weren’t limited to the ATMs themselves. The intrusion paths stretched across Linux and Unix hosts that supported transaction processing, card-issuing systems, and internal monitoring pipelines. Those hosts were often segmented on paper, but still exposed enough shared services to give an attacker room to move once the hardware implant was in place. Physical access gave them the starting point, and host-level access filled in the rest. The financial losses tied to the cloned-card withdrawals added up quickly because the activity looked like routine consumer traffic at first glance. Mules cashed out across different ATM fleets and different regions, which made correlation harder until analysts started comparing timestamps and withdrawal patterns. It became clear that the issue wasn’t a single ATM model or a software defect. It was a structural weakness in how ATM security controls are layered inside modern banking environments. For many teams, the uncomfortable part of thiscase is how ordinary the attack chain was. Nothing about the malware or operational playbook would surprise anyone who has worked in incident response. The scale came from patience, physical access, and a banking security model that still assumes internal networks are trusted once you get past the branch perimeter. Strengthening ATM Security and Banking Security Controls Most of the recommendations that came out of this investigation were not new. What changed was the emphasis. Teams realized how much trust had accumulated around network closets, switch cabinets, and other places that rarely see routine inspection. Locking those areas down and tracking who enters them became just as important as patching a high-severity Linux bug. Once the Raspberry Pi boards were removed, several banks started logging physical access through the same lens they use for privileged account activity. Scanning for unauthorized hardware turned into a practical exercise instead of a theoretical one. Some teams added periodic sweeps of ATM network segments with simple inventory scripts, backed by NAC policies that flag devices with unexpected MAC prefixes or cellular interfaces. This isn’t glamorous work, but it closes the gap that allowed the 4G implants to sit unnoticed for so long. Segmentation reviews followed. Many banks had ATM networks separated on paper while still sharing authentication paths, update channels, or internal monitoring systems with the broader environment. Cleaning up those links took time, and in some cases, it required coordination with vendors who had quietly relied on those shared services. Once those pathways were clarified, the Linux privilege-escalation vulnerabilities used by CAKETAP and SLAPSTICK became less useful to an attacker. Operational teams also began monitoring for unusual bind-mount behavior. Bind mounts are common in container platforms and maintenance workflows, but they stand out on hosts that normally run a predictable set of banking applications. Alerting on thatactivity gave analysts something concrete to investigate instead of relying on signature-based detections. The last piece involved fraud teams. They rebuilt their processes for spotting mule behavior and repeated cloned-card withdrawals. Instead of monitoring only per-card anomalies, they began correlating ATM usage across regions and providers. This tied the operational side of banking security to the cash-out phase in a way that hadn’t been done before. Closing Thoughts: What This Means for Linux, ATM Security, and Modern Banking Security The UNC2891 case shows how much risk sits in the gaps between well-defended systems. The Linux hosts involved in this incident were not fragile or outdated. They were typical production machines running standard banking workloads, and they failed only because an attacker reached them through a path no one was watching. Once the hardware implant was in place, the group had time to learn the environment and adjust their tooling until it blended in. It also highlights how hybrid operations are becoming normal for financially motivated crews. They mix physical access, off-the-shelf hardware, and quiet Linux malware to build a foothold that lasts. This is less about zero-day exploits and more about understanding how real networks behave when they age. The longer the infrastructure remains unchanged, the more predictable it becomes to someone who has already found a way inside. For security teams, the insight is simple but uncomfortable. Strong perimeter controls and regular patching are not enough when the attacker starts from a position that bypasses both. Modern banking security depends on treating every layer, including the physical one, as part of the threat surface. That means monitoring embedded devices, verifying internal assumptions, and treating unexpected behavior on stable systems as a signal rather than noise. Finally, the case is a reminder that the people involved in these operations matter as much as the tooling. The cashouts only workedbecause mule networks were available and coordinated. Without that human layer, the malware and the Raspberry Pi hardware would have been interesting but unprofitable. Understanding how these mule networks operate helps teams see where technical controls stop being effective and where operational gaps begin. . Investigators reveal how UNC2891 exploited physical access and Linux malware to compromise bank security systems.. UNC2891, ATM Security, Linux Malware, Banking Breach, Physical Access. . Brittany Day
Nov 27, 2025
•
Hacks/Cracks
83
risk managementcybercrimephishingVirginian National Bank: Cybercrime Threats and Phishing Woes
The perils of phishing emails and cyber-insurance were laid bare this week after news emerged of an American bank that fell victim to hackers twice within eight months and is suing its provider for failing to cover the losses.. The Virginian National Bank of Blacksburg was hit in late May 2016 and again in January 2017 thanks to phishing emails which eventually resulted in the combined theft of $2.4m. The link for this article located at InfoSecurity is no longer available. . A financial institution in the United States experienced two heists, exposing vulnerabilities related to social engineering attacks and inadequate cybersecurity insurance policies.. Phishing Risks,Cyber Insurance Issues,Banking Cybercrimes. . LinuxSecurity.com Team
Jul 26, 2018
•
Hacks/Cracks
83
cyber attackbankingfinancial systemMexican Banks Under Cyber Attack: Unauthorized SPEI Transfers
As many as five Mexican banks may have been targeted by what appears to be a highly co-ordinated cyber-attack in which unauthorized transfers were made to bogus accounts. . The campaign seems to have focused on the domestic SPEI transfer network, and as such is reminiscent of the recent spate of sophisticated attacks on the global SWIFT inter-bank messaging system. The link for this article located at InfoSecurity is no longer available. . Well-organized digital assaults strike Brazilian financial institutions with illicit fund shifts, disrupting monetary networks.. Mexican Banks, Cybersecurity Threats, Banking Attacks, SPEI Network. . LinuxSecurity.com Team
May 15, 2018
•
Hacks/Cracks
83
bankingsecurity devicefinancial threatATM Skimmers Risk: Threats to Banking Security Identified
An increasing number of ATM skimmers targeting banks and consumers appear to be of the razor-thin insert variety. These card-skimming devices are made to fit snugly and invisibly inside the throat of the card acceptance slot. Here. The bank that shared these photos asked to remain anonymous, noting that the incident is still under investigation. But according to an executive at this financial institution, the skimmer below was discovered inside the ATM The link for this article located at Krebs on Security is no longer available. . The bank that shared these photos asked to remain anonymous, noting that the incident is still under. increasing, number, skimmers, targeting, banks, consumers, appear, razor-thin. . LinuxSecurity.com Team
Aug 22, 2014
•
Hacks/Cracks
83
security advisorybankingAndroidAndroid KeyStore Advisory: Critical Key Theft Risk for 10% of Devices
Researchers have warned of a vulnerability present on an estimated 10 percent of Android phones that may allow attackers to obtain highly sensitive credentials, including cryptographic keys for some banking services and virtual private networks, and PINs or patterns used to unlock vulnerable devices.. The vulnerability resides in the Android KeyStore, a highly sensitive region of the Google-made operating system dedicated to storing cryptographic keys and similar credentials, according to an advisory published this week by IBM security researchers. By exploiting the bug, attackers can execute malicious code that leaks keys used by banking and other sensitive apps, virtual private network services, and the PIN or finger patterns used to unlock handsets.. A critical flaw in iOS Secure Enclave puts sensitive data at risk on 15% of devices, endangering personal and financial information.. Android Vulnerabilities,Crypto Key Theft,KeyStore Exploits. . LinuxSecurity.com Team
Jul 02, 2014
•
Hacks/Cracks
83
security advisorysystem upgradebankingBanking Sector: Windows XP Systems Face Security Threats Post-EOL
Despite early warnings, pleading and even financial lures to upgrade systems from the Windows XP operating system, many of our core services are still running on the soon to be retired system.. It's not just our grandparents that stick stubbornly to Windows XP, which is due for an end-of-life and support retirement on April 8 this year. According to Symantec researchers, the banking industry is likely to be affected on this date, as 95 percent of our ATMs -- computer systems that control access to funds -- are still running on the archaic system. The link for this article located at ZDNet Blogs is no longer available. . It's not just our grandparents that stick stubbornly to Windows XP, which is due for an end-of-life . despite, early, warnings, pleading, financial, lures, upgrade, systems, windows. . LinuxSecurity.com Team
Mar 26, 2014
•
Hacks/Cracks
67
security issuemalwareauthenticationBanking SMS Authentication Hijacking Risk: Bugat Trojan Analysis
Out of band authentication . But RSA's Anti-Fraud Command Center on Monday found and reported on a Trojan called Bugat that has been updated to hijack out-of-band authentication codes sent to bank customers via SMS. This doesn't mean out-of-band authentication via text messaging is useless, but it can be compromised using a dated, unsophisticated piece of malware. The link for this article located at American Banker is no longer available. . The Cybersecurity Agency warns of the Zett Malware intercepting mobile transaction confirmations, underlining the potential threat.. Bugat Trojan, SMS Authentication, Banking Malware, Trojan Risks, Out-of-Band Authentication. . LinuxSecurity.com Team
Jun 28, 2013
•
Cryptography
83
cybersecurityservice disruptionbankingIzz ad-Din al-Qassam Cyber Fighters Target Major U.S. Banks
A shadowy but well-organized hacker group in the Middle East has disrupted the electronic banking operations of America. A group identifying itself as Izz ad-Din al-Qassam Cyber Fighters attacked the websites of Wells Fargo, U.S. Bancorp and Bank of America. The strikes left customers temporarily unable to access their checking accounts, mortgages and other services. The link for this article located at Spokesman Review is no longer available. . A group identifying itself as Izz ad-Din al-Qassam Cyber Fighters attacked the websites of Wells Far. shadowy, well-organized, hacker, group, middle, disrupted, electronic, banking. . LinuxSecurity.com Team
Sep 27, 2012
•
Hacks/Cracks
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Search Topics
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!
Explore top 10 tips to secure your open-source projects now. Read More