Linux admins -

UNC2891 isn’t a loud crew of hackers. They’ve built a reputation on patient intrusions and a habit of blending commodity hardware with quiet Linux tradecraft. This latest run fits their pattern.

They planted small 4G Raspberry Pi kits inside bank network rooms and treated them like disposable footholds. Once plugged in, the boxes pulled down familiar Unix tools, a custom backdoor, and a bind-mount trick that slips past most forensic scans. The crew moved slowly. Mapped traffic. Watched for gaps. Then pushed deeper into systems that should’ve been sealed off, almost like they’d walked the building long before touching the kernel. One of those operations that shows how fast a controlled environment unravels once an attacker gets a hand on the hardware.

 

Read on to get the full breakdown — tactics, tooling, and how the Pi implants were staged.

Yours in Open Source, 

Dv Signature Newsletter 2024 Esm W150

Dave Wreski

LinuxSecurity Founder

Raspberry Pi

The Discovery 

UNC2891 hackers have been sneaking small hardware implants near ATM transaction switches, quietly feeding access back to the operators while Linux tooling handles the heavier work inside the network.

R Pi Esm W148

The Impact

This exploit enables them to use compromised infrastructure for financial gains,

The Fix

To protect against these attacks, teams should segment networks and monitor for unusual bind-mount behavior.

Ubuntu 18.04

The Discovery 

While end-of-life systems like Ubuntu 18.04 can still run, they face significant security risks.

 

Ubuntu Esm W225

The Impact

 EOL systems no longer receive updates, exposing production environments to unpatched risks.

The Fix

Admins can manage Linux support lifecycles to mitigate risks by tracking lifecycle dates proactively, applying updates before lifecycle transitions, and engaging in other security best practices.