General Bytes, the manufacturer of Bitcoin ATMs, has revealed that cybercriminals with unidentified identities managed to gain access to cryptocurrency held in hot wallets by taking advantage of a security vulnerability that had not yet been discovered in its software.
According to a statement released by the company over the weekend, the perpetrator managed to remotely upload his own Java application through the main service interface, which is typically used by terminals for video uploads. After gaining access via "batm" user privileges, they were able to run the application.
The assailant searched through the range of IP addresses in Digital Ocean's cloud hosting and discovered that CAS services were operational on ports 7741. Additionally, the attacker found that General Bytes Cloud service and other GB ATM operators had set up their servers on Digital Ocean.
The company stated that the server automatically sets up applications found in the designated folder (/batm/app/admin/standalone/deployments/) for launch, including the harmful Java program that was uploaded.
By carrying out the attack, the malicious individual was able to gain entry to the database. Accordingly, they could read and decode the API keys employed to access hot wallets and exchanges. The attacker managed to transfer funds from various wallets, obtain password hashes and usernames, and deactivate two-factor authentication (2FA). They were even able to gain access to terminal event logs.
The company issued a warning that both their cloud service and servers belonging to other providers were breached due to the incident. Therefore, they decided to close down the service as a precaution.
It is advisable to protect cryptocurrency application servers (CASs) by using a firewall and a VPN. Moreover, it is recommended to frequently change the passwords and API keys of all users who access exchanges and hot wallets.
According to the advisory by General Bytes, two server patch releases (20221118.48 and 20230120.44) have been made available to address the CAS security issue.
The company reiterated that they had carried out numerous security evaluations since 2021 and none of these uncovered the weakness. It seems that it has remained unresolved since version 20210401.
The specific amount of money taken by the hackers from General Bytes was not revealed. However, an examination of the crypto wallets used in the assault indicates that 56.283 BTC ($1.5 million), 21.823 ETH ($36500), and 1219.183 LTC ($96500) were received.
Less than a year after the first security breach that affected General Bytes, a new attack has occurred in which hackers have taken advantage of a zero-day vulnerability in its ATM servers to steal cryptocurrency from customers. This marks the second time that General Bytes has been targeted.