slider

Netizen Cybersecurity Bulletin (July 31th, 2025)

Overview:

  • Phish Tale of the Week
  • UNC2891 Targets ATM Networks Using 4G-Enabled Raspberry Pi and CAKETAP Rootkit
  • Apple Patches Safari Vulnerability Also Exploited as Chrome Zero-Day
  • How can Netizen help?

Phish Tale of the Week

Often times phishing campaigns, created by malicious actors, target users by utilizing social engineering. For example, in this text message, the actors are appearing as Royal Mail, a courier service, and informing you that action needs to be taken regarding your package’s delivery. The message politely explains that “RoyalMail” is holding our parcel at the nearest PO Depot, and that we just need to rearrange a delivery in order to receive it. It seems both urgent and genuine, so why shouldn’t we visit the link they sent us? Luckily, there’s plenty of reasons that point to this being a scam.

Here’s how we can tell not to click on this smishing link:

  1. The first warning sign for this SMS is the fact that it includes a URL in the message. Typically, companies will send notifications like this through SMS, but they’ll end with a call to action within an already trusted environment, for example the statement “check your tracking details for more information.” Always be sure to think twice and check “urgent” statuses like this one through a trusted environment, and never click on links sent through an SMS from an unknown number.
  2. The second warning signs in this text is the messaging. This message tries to create a sense of urgency and get you to take action by using language such as “is being held” and “Please visit.” Phishing scams commonly attempt to create a sense of urgency in their messages in order to get you to click their link without thinking about it first. Always be sure to thoroughly inspect the style and tone of all texts before following a link sent through SMS.
  3. The final warning sign for this email is the style of the link. After a quick look at the address, one can quickly deduce that we’ve been sent a phishing link. Trusted companies like Royal Mail typically will use a simple, standardized domain as their website. For example, Royal Mail’s official website is simply “royalmail.com.” Threat actors typically will utilize message-related words in the links they send you. After taking one quick look at the URL, “post.office-costs.com,” it’s very obvious that this email is an attempt at a smish.


General Recommendations:

smishing attack will typically direct the user to click on a link where they will then be prompted to update personal information, such as a password, credit card, social security, or bank account information. A legitimate company already has this sensitive information and would not ask for it again, especially via your text messages. 

  1. Scrutinize your messages before clicking anything. Have you ordered anything recently? Does this order number match the one I already have? Did the message come from a store you don’t usually order supplies from or a service you don’t use? If so, it’s probably a phishing attempt.
  2. Verify that the sender is actually from the company sending the message.
  3. Did you receive a message from someone you don’t recognize? Are they asking you to sign into a website to give Personally Identifiable Information (PII) such as credit card numbers, social security number, etc. A legitimate company will never ask for PII via instant message or email.
  4. Do not give out personal or company information over the internet.
  5. Do not click on unrecognized links or attachments. If you do proceed, verify that the URL is the correct one for the company/service and it has the proper security in place, such as HTTPS.

Many smishing messages pose a sense of urgency or even aggressiveness to prompt a form of intimidation. Any SMS requesting immediate action should be vetted thoroughly to determine whether or not it is a scam. Also, beware of messages that seek to tempt users into opening an attachment or visiting a link. For example, “Fix your account now” may draw the question “What is wrong with my account?” and prompt you to click a suspicious link.


Cybersecurity Brief

In this month’s Cybersecurity Brief:

UNC2891 Targets ATM Networks Using 4G-Enabled Raspberry Pi and CAKETAP Rootkit

A financially motivated threat group tracked as UNC2891 has been linked to a sophisticated cyber-physical intrusion targeting ATM infrastructure, using a 4G-connected Raspberry Pi to gain covert access to a bank’s internal network.

According to a recent report by Group-IB, the attackers physically installed a Raspberry Pi equipped with a 4G modem directly onto the same network switch as an ATM, effectively bypassing external perimeter defenses. It remains unclear how the attacker gained the physical access required to deploy the device.

Once connected, the device initiated outbound communication over mobile data, evading traditional network monitoring. The command-and-control (C2) channel was established using a TINYSHELL backdoor that communicated via a Dynamic DNS (DDNS) domain, enabling persistent remote access to the ATM network.

UNC2891, first profiled by Mandiant in 2022, has a history of targeting ATM switching networks to enable fraudulent cash withdrawals using counterfeit cards. At the center of this campaign is a Linux kernel rootkit named CAKETAP, which is capable of:

  • Hiding active network connections, processes, and filesystem entries
  • Intercepting and spoofing card and PIN verification messages from Hardware Security Modules (HSMs)
  • Facilitating unauthorized transactions through ATM networks

The group demonstrates deep familiarity with Unix and Linux-based environments and has been observed using advanced evasion techniques.

During the investigation, Group-IB uncovered additional persistence mechanisms inside the compromised network. A custom backdoor named lightdm was discovered on a network monitoring server, providing a secondary access path to both the compromised Raspberry Pi and an internal mail server.

The attacker also abused bind mounts to mask the presence of malicious processes, a technique that complicates detection by traditional process monitoring tools.

Although the CAKETAP rootkit was not fully deployed, the infrastructure and tooling were consistent with UNC2891’s previous operations. The campaign was reportedly disrupted before financial losses occurred, though the group retained internal access even after the Raspberry Pi was discovered and removed. Persistence was maintained through the mail server backdoor, which continued communicating with a DDNS-based C2 infrastructure.

Group-IB notes operational similarities between UNC2891 and another known actor, UNC1945 (also referred to as LightBasin), particularly in their targeting of financial institutions and use of Unix-based malware. Both groups have demonstrated capabilities in compromising managed service providers (MSPs) and internal banking infrastructure.

To read more about this article, click here.


Apple Patches Safari Vulnerability Also Exploited as Chrome Zero-Day

Apple has issued a security update for its major platforms to address a critical browser vulnerability, CVE-2025-6558, which has been exploited in the wild as a zero-day in Google Chrome earlier this month.

The vulnerability, identified as CVE-2025-6558 with a CVSS score of 8.8, stems from improper validation of untrusted input within the ANGLE and GPU components of web browsers. According to Google’s Threat Analysis Group (TAG), this flaw can be triggered through a maliciously crafted HTML page, potentially allowing attackers to escape the browser sandbox.

Google confirmed that the vulnerability was actively exploited and credited researchers Clément Lecigne and Vlad Stolyarov of TAG with the discovery. Although detailed exploitation methods remain undisclosed, the flaw poses a real threat across both Chromium-based and WebKit-based browsers.

In line with Google’s disclosure, Apple acknowledged that WebKit, the core engine behind the Safari browser, is also affected. The company noted that the vulnerability could cause unexpected crashes when processing malicious web content.

Apple classified the issue as stemming from open-source code shared across projects and promptly released patches as part of its July 30 security updates.

Apple’s updates mitigate CVE-2025-6558 across a wide range of hardware:

  • iOS 18.6 / iPadOS 18.6: Affects iPhone XS and later, iPad Pro (13″, 12.9″ 3rd gen+, 11″), iPad Air 3rd gen+, iPad 7th gen+, and iPad mini 5th gen+
  • iPadOS 17.7.9: Patches for iPad Pro 12.9″ (2nd gen), 10.5″, and iPad 6th gen
  • macOS Sequoia 15.6: Applies to all Macs running Sequoia
  • tvOS 18.6: Affects all models of Apple TV HD and Apple TV 4K
  • watchOS 11.6: Available for Apple Watch Series 6 and newer
  • visionOS 2.6: Issued for Apple Vision Pro

As of now, there are no confirmed reports of this vulnerability being exploited against Apple users directly. However, given that CVE-2025-6558 has already been abused in Chrome, its presence in Safari and other Apple platforms raises concern, especially for users who haven’t yet applied the update.

All Apple users are strongly encouraged to update to the latest versions of their operating systems. Keeping software current remains one of the most effective ways to defend against browser-based zero-days and WebKit exploitation tactics.

For IT security teams and CISOs, monitoring for browser patch status across endpoints is advisable, especially within environments where both Google Chrome and Apple Safari are used.

To read more about this article, click here.


How Can Netizen Help?

Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

Netizen is a CMMI V2.0 Level 3, ISO 9001:2015, and ISO 27001:2013 (Information Security Management) certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans.