Hackers Steal Over $1.6 Million in Crypto from General Bytes Bitcoin ATMs Using Zero-Day Flaw

Mar 21, 2023Ravie LakshmananCryptocurrency / Hacking

Bitcoin ATM maker General Bytes disclosed that unidentified
threat actors stole cryptocurrency from hot wallets by exploiting a
zero-day security flaw in its software.

“The attacker was able to upload his own java application
remotely via the master service interface used by terminals to
upload videos and run it using ‘batm’ user privileges,” the company
said ^[1]
in an advisory published over the weekend.

“The attacker scanned the Digital Ocean cloud hosting IP address
space and identified running CAS services on ports 7741, including
the General Bytes Cloud service and other GB ATM operators running
their servers on Digital Ocean,” it further added.

The company said that the server to which the malicious Java
application was uploaded was by default configured to start
applications present in the deployment folder
(“/batm/app/admin/standalone/deployments/”).

In doing so, the attack allowed the threat actor to access the
database; read and decrypt API keys used to access funds in hot
wallets and exchanges; send funds from the wallets; download
usernames, password hashes, and turn off two-factor authentication
(2FA); and even access terminal event logs.

It also warned that its own cloud service as well as other
operators’ standalone servers were infiltrated as a result of the
incident, prompting the company to shutter the service.

In addition to urging customers to keep their crypto application
servers (CASs) behind a firewall and a VPN, it’s also recommending
to rotate all users’ passwords and API keys to exchanges and hot
wallets.

“The CAS security fix is provided in two server patch releases,
20221118.48 and 20230120.44,” General Bytes said in the
advisory.

The company further emphasized that it had conducted multiple
security audits since 2021 and that none of them flagged this
vulnerability. It appears to have been unpatched since version
20210401.

WEBINAR

Discover the Hidden Dangers of Third-Party SaaS Apps

Are you aware of the risks associated with third-party app
access to your company’s SaaS apps? Join our webinar to learn about
the types of permissions being granted and how to minimize
risk.

RESERVE YOUR
SEAT ^[2]

General Bytes did not disclose the exact amount of funds stolen
by the hackers, but an analysis of the cryptocurrency wallets used
in the attack reveals the receipt of 56.283 BTC ^[3]
($1.5 million), 21.823 ETH ^[4]
($36,500), and 1,219.183 LTC ^[5]
($96,500).

The ATM hack is the second breach ^[6]
targeting General Bytes in less than a year, with another zero-day
flaw in its ATM servers exploited to steal crypto from its
customers in August 2022.

Found this article interesting? Follow us on Twitter ^[7]
and LinkedIn ^[8]
to read more exclusive content we post.

References

^{^}
said
(generalbytes.atlassian.net)
^{^}
RESERVE YOUR SEAT
(thn.news)
^{^}
56.283
BTC (blockchair.com)
^{^}
21.823
ETH (blockchair.com)
^{^}
1,219.183 LTC
(blockchair.com)
^{^}
second
breach (thehackernews.com)
^{^}
Twitter
 (twitter.com)
^{^}
LinkedIn
(www.linkedin.com)