$1.5M Stolen From General Bytes Bitcoin ATMs After Zero-Day Exploit

$1.5M Stolen From General Bytes Bitcoin ATMs After Zero-Day Exploit

General Bytes, a major provider of Bitcoin ATMs, revealed that hackers had stolen money from the business and its clients by exploiting a zero-day flaw in their BATM management platform. The Bitcoin ATMs produced by General Bytes enable users to buy or trade more than 40 cryptocurrencies. Customers can install their ATMs employing General Bytes’ cloud service or independent management servers. The business revealed over the weekend that attackers remotely uploaded a Java program via ATM’s master service interface and ran it with the ‘batm’ user rights by taking advantage of a zero-day vulnerability identified as BATM-4780.

“The attacker scanned the Digital Ocean cloud hosting IP address space and identified running CAS services on ports 7741, including the General Bytes Cloud service and other GB ATM operators running their servers on Digital Ocean (our recommended cloud hosting provider),” General Bytes explained in a security incident disclosure.

To prevent hackers from accessing customers’ servers and money, the firm sent a message on Twitter urging users to “take immediate action” and install the most recent upgrades. The threat actors acquired access to the following activities on infected machines after downloading the Java application:

  • Ability to use the database
  • Send money from prominent wallets
  • Ability to read and decrypt API keys required to access money on famous exchanges and wallets
  • Download user names and their password hashes, and disable 2FA
  • Ability to go through terminal event logs and scan for any instances of private key scanning by users at the ATM. This data was being logged by older ATM software versions

General Bytes issued a warning after discovering that the cyberattacks had compromised both its cloud service and its customers. “GENERAL BYTES Cloud service was breached as well as other operator’s standalone servers,” highlights the statement.

The business supplied a list of cryptocurrency addresses used by the hacker during the attack in addition to disclosing the amount of money the attacker took. These addresses indicate that the hacker started stealing cryptocurrencies on March 17th, sending 56.28570959 BTC (value of approximately $1,589,000) and 21.79436191 ETH (worth approximately $39,000) to the attacker’s Bitcoin address. The stolen money is still there in the Bitcoin wallet; however, it appears that the threat actors converted the stolen Ethereum into USDT via Uniswap.

The “master.log” and “admin.log” log files should be carefully inspected by CAS (Crypto Application Server) administrators for any unusual gaps in time that might have resulted from the attacker removing log entries to hide their operations on the system. General Byte’s report further stated that the malicious JAVA apps would show up as files with arbitrary filenames ending in “.war” and “.war.deployed” in the “/batm/app/admin/standalone/deployments/” folder.

The company points out that each victim’s file name is probably unique. Those who don’t see any indications of a hack should nonetheless treat all of their CAS passwords and API keys as compromised, invalidate them right now, and create new ones. Resetting all user passwords is also recommended. The company’s announcement includes comprehensive step-by-step guidelines for safeguarding endpoints for all server operators.

According to General Bytes, it is “theoretically (and practically) impossible” to safeguard its cloud service from malicious actors since it must concurrently grant access to several operators, hence the company is shutting down the service. Those who want to create their own independent CAS, which should now be put behind a firewall and VPN, can get assistance from the firm with data migration.

A CAS security remedy from General Byte has also been made available. It comes in two patches, 20221118.48 and 20230120.44, and it fixes the exploited vulnerability. The fact that the compromised system has undergone many security assessments since 2021 yet none of them have managed to find the exploited vulnerability is further highlighted. Additionally, in 2021, researchers from the Kraken cryptocurrency exchange discovered many flaws in General Bytes’ ATMs, which the firm promptly corrected.

Despite these security checks, General Bytes had a security breach in August 2022 when thieves used a zero-day vulnerability in its ATM servers to steal cryptocurrency from users. The business claims that to detect and address more possible holes before malicious parties do, it wants to quickly perform several security assessments of its products by various organizations.

About the author

Yehudah Sunshine

Yehudah Sunshine

Bringing together his diverse professional cyber know-how, intellectual fascination with history and culture, and eclectic academic background focusing on diplomacy and the cultures of Central Asia, Yehudah Sunshine keenly blends his deep understanding of the global tech ecosystem with a nuanced worldview of the underlying socio-economic and political forces which drive policy and impact innovation in the cyber sectors. Yehudah's current work focuses on how to create and or opportunities enhance marketing strategies and elevate cyber driven thought leadership for cyfluencer (www.cyfluencer .com), the cybersecurity thought leadership platform. Sunshine has written and researched extensively within cybersecurity, the service sectors, international criminal accountability, Israel's economy, Israeli diplomatic inroads, Israeli innovation and technology, and Chinese economic policy.