Cybercriminals planted Raspberry Pi in attempt to hack ATMs.

Summary

By the CyberWire staff

At a glance.

Cybercriminals planted Raspberry Pi in attempt to hack ATMs.
Russia targets embassies with ISP-level attacks.
Critical flaw discovered in SUSE Manager.

Cybercriminals planted Raspberry Pi in attempt to hack ATMs.

Group-IB reports that a cybercriminal group physically planted a Raspberry Pi inside the network of an Indonesian bank in order to withdraw cash from ATMs. The researchers note, "This device was connected directly to the same network switch as the ATM, effectively placing it inside the bank’s internal network. The Raspberry Pi was equipped with a 4G modem, allowing remote access over mobile data."

Group-IB says the crooks' "ultimate target was the ATM switching server, with the intent to deploy CAKETAP – a rootkit designed to manipulate HSM responses – and spoof authorization messages to facilitate fraudulent ATM cash withdrawals." The campaign was disrupted before they succeeded.

The researchers also discovered a new Linux anti-forensics tactic used in the campaign, which is now catalogued by MITRE ATT&CK. MITRE explains, "Adversaries may abuse bind mounts on file structures to hide their activity and artifacts from native utilities."

Are You Future Ready? Secure Your Machine Future With Confidence.

CyberArk is the leader behind the world’s most comprehensive machine identity security solution. With capabilities that span secrets, certificate management and workload identities, we enable customers to secure more machine identity use cases with the right level of privilege control. Find out exactly how we’re helping modern organizations secure their machine future.

Russia targets embassies with ISP-level attacks.

Microsoft has published a report on a Russian cyberespionage campaign targeting foreign embassies in Moscow with the ApolloShadow malware. Microsoft attributes the campaign to the FSB-linked threat actor Secret Blizzard (also known as "Turla"). The researchers note, "While we previously assessed with low confidence that the actor conducts cyberespionage activities within Russian borders against foreign and domestic entities, this is the first time we can confirm that they have the capability to do so at the Internet Service Provider (ISP) level. This means that diplomatic personnel using local ISP or telecommunications services in Russia are highly likely targets of Secret Blizzard’s AiTM position within those services."

How to enhance cloud security using next-generation firewalls on AWS

Join Amazon Web Services (AWS) and SANS Institute experts in this free webinar to explore how next-generation firewalls (NGFWs) can enhance cloud security and streamline operations. See demos and learn how to evaluate, deploy, and manage NGFWs in AWS Marketplace. Register today for our live webinar on July 24, or on-demand after!

Critical flaw discovered in SUSE Manager.

SUSE Manager for Linux has received a patch for a critical flaw (CVE-2025-46811) that can allow remote unauthenticated attackers to execute arbtirary code as root, GB Hackers reports. According to the bug report on Bugzilla, "You can simply omit the SessionId and then you can execute salt commands on all servers. A simple access to port 443 without credentials is sufficient to take over our entire Linux server network." Users are urged to apply patches immediately.

Notes.

Today's issue includes events affecting Indonesia, Russia, and the United States.

Attacks, Threats, and Vulnerabilities

Luxembourg probes reported attack on Huawei tech that caused nationwide telecoms outage (The Record) Authorities in Luxembourg said a nationwide telecommunications outage in July was caused by a deliberately disruptive cyberattack. Huawei networking products were reportedly the target.

Hackers Regularly Exploit Vulnerabilities Before Public Disclosure (Infosecurity Magazine) Spikes in attacker activity precede the disclosure of vulnerabilities 80% of the time, according to a new GreyNoise report

CISA identifies OT configuration flaws during cyber threat hunt at critical infrastructure organization, lists cyber hygiene (Industrial Cyber) CISA identifies OT configuration flaws during cyber threat hunt at critical infrastructure organization, lists cyber hygiene

Technologies, Techniques, and Standards

Thorium Platform Public Availability (CISA) Today, CISA, in partnership with Sandia National Laboratories, announced the public availability of Thorium, a scalable and distributed platform for automated file analysis and result aggregation. Thorium enhances cybersecurity teams' capabilities by automating analysis workflows through seamless integration of commercial, open-source, and custom tools. It supports various mission functions, including software analysis, digital forensics, and incident response, allowing analysts to efficiently assess complex malware threats.

Industry Events

For a complete running list of events, please visit the Event Tracker.

Events

DEF CON 33 (Las Vegas, Nevada, USA, Aug 7 - 10, 2025) DEF CON is one of the oldest continuously running hacker conventions around, and also one of the largest.

39th Annual Small Satellite Conference (Salt Lake City, Utah, USA, Aug 11 - 13, 2025) During the 39th Annual Small Satellite Conference, we will delve into the innovations, demands, and cross-market collaborations shaping the future of satellite capabilities and driving new opportunities allowing us to collectively reach new horizons.

Sponsor & Support

Grow your brand, generate leads, and fill your funnel.

With the industry’s largest B2B podcast network, popular newsletters, and influential readers and listeners all over the world, companies trust the CyberWire to get the message out. Learn more.

Daily Briefing for 08.01.25

At a glance.

Cybercriminals planted Raspberry Pi in attempt to hack ATMs.

Russia targets embassies with ISP-level attacks.

Critical flaw discovered in SUSE Manager.

Notes.

Attacks, Threats, and Vulnerabilities

Technologies, Techniques, and Standards

Events