Malware Activity
LightBasin's Covert ATM Intrusion: Hybrid Cyber-Physical Attack Thwarted
The financially motivated threat group UNC2891, also known as LightBasin, launched a covert hybrid attack on a bank's ATM infrastructure by physically installing a 4G-enabled Raspberry Pi onto the same network switch as the ATM. This cyber-physical intrusion allowed the attackers to establish persistent remote access via a TinyShell backdoor communicating through a Dynamic DNS domain, completely bypassing perimeter defenses. The device served as a pivot point into the bank's internal systems, enabling lateral movement to critical infrastructure including the Network Monitoring and Mail Servers. Disguised backdoors named "lightdm" were used to maintain stealth, while bind mounts and mounted filesystems such as tmpfs were leveraged to obscure malicious processes and evade forensics. The attack's goal was to deploy the CAKETAP rootkit (capable of spoofing card verification messages from hardware security modules to enable unauthorized ATM withdrawals) but the operation was detected and disrupted before financial damage occurred. Despite the Raspberry Pi's removal, the attackers had already established alternate persistence through the compromised mail server. Group-IB and Mandiant attribute the campaign to a threat actor with deep expertise in Linux/Unix systems and a history of targeting financial and telecom infrastructure. CTIX analysts will continue to report on the latest threat actor attack methodologies.
- Bleeping Computer: LightBasin ATM Compromise Article
- The Hacker News: LightBasin ATM Compromise Article
Threat Actor Activity
ShinyHunters Extortion Group Linked to Data Breaches within Salesforce Environments
A wave of data breaches affecting companies such as Qantas, Allianz Life, LVMH, and Adidas has been linked to the ShinyHunters extortion group, which employs voice phishing attacks to steal data from Salesforce CRM instances. Threat researchers warned in June that threat actors identified as UNC6040 were targeting Salesforce customers through social engineering tactics. These tactics include impersonating IT support staff to persuade employees to enter a "connection code" on Salesforce's app setup page, linking a malicious app to the victim's Salesforce environment. Some attacks involved phishing pages impersonating Okta login pages to steal credentials and MFA tokens. Several companies reported breaches involving third-party CRM systems, with LVMH subsidiaries and others confirming unauthorized access to customer databases. Although none of the companies publicly named Salesforce, independent researchers confirmed that these incidents were part of the same campaign detailed by the initial researchers. The threat actors, naming themselves ShinyHunters, are attempting private extortion via email, with the potential for public data leaks if demands are not met. Confusion arose as the attacks were initially attributed to Scattered Spider (UNC3944), which also targeted similar sectors. However, ShinyHunters focuses on data-theft extortion, and overlaps in tactics suggest some crossover between the groups. Some believe ShinyHunters may act as extortion-as-a-service, selling stolen data on behalf of others. Salesforce emphasized that its platform remains uncompromised and encouraged customers to enhance security by enforcing trusted IP ranges, enabling MFA, and following best practices to protect against phishing and social engineering attacks.
Vulnerabilities
Active Exploitation of Critical File Upload Flaw in 'Alone' WordPress Theme Enables Full Site Takeovers
A critical vulnerability is being actively exploited by threat actors to gain remote code execution (RCE) and complete control over WordPress websites using the Alone Charity Multipurpose Non-profit Theme. Affecting all versions up to 7.8.3, the flaw, tracked as CVE-2025-5394, stems from the "alone_import_pack_install_plugin()" function, which lacks both proper nonce validation and capability checks, allowing unauthenticated attackers to upload arbitrary plugins via AJAX from remote sources. Wordfence has blocked over 120,000 exploitation attempts, noting that attacks began several days before the vulnerability's public disclosure, suggesting adversaries are monitoring changelogs and patches to identify unannounced weaknesses. Exploits typically involve uploading ZIP archives (e.g., wp-classic-editor.zip) that contain PHP backdoors and full-featured file managers, enabling the creation of hidden admin accounts and full site access. Malicious activity has been traced to numerous IP addresses, which should be blocked immediately. The issue was silently patched by the vendor Bearsthemes in version 7.8.5 on June 16, 2025. Given the theme's widespread use among nonprofits and NGOs, CTIX strongly urges users to update, and scan for unauthorized admin accounts, as well as review logs for suspicious AJAX plugin installation requests.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
