Leading Bitcoin ATM maker General Bytes has revealed that hackers stole cryptocurrency from the company and its customers using a zero-day vulnerability in its BATM management platform.

General Bytes makes Bitcoin ATMs that allow people to buy or sell over 40 cryptocurrencies. Customers can deploy their ATMs using standalone management servers or the General Bytes cloud service.

Over the weekend, the company revealed that hackers had exploited a zero-day vulnerability tracked as BATM-4780 to remotely download a Java application through ATM’s core service interface and run it. with “batm” user privileges.

“The attacker scanned the Digital Ocean cloud hosting IP address space and identified CAS services running on ports 7741, including the General Bytes Cloud service and other GB ATM operators running their servers on Digital Ocean (our recommended cloud hosting provider),” General Bytes explained. in a Security Incident Disclosure.

The company took to Twitter to urge customers to “take immediate action” and install the latest updates to protect their servers and funds from attackers.

After downloading the Java application, the hackers were able to perform the following actions on the compromised devices:

• Ability to access the database.

• Ability to read and decrypt API keys used to access funds in hot wallets and exchanges.

• Send funds from hot wallets.

• Download usernames, their password hashes, and disable 2FA.

• Ability to access terminal event logs and find any instances where customers have scanned private keys at the ATM. Older versions of ATM software recorded this information.

General Bytes warned that its customers and its own cloud service were hacked in the attacks.

“GENERAL BYTES Cloud service was hacked along with standalone servers from other carriers,” underlines the statement.

Although the company revealed how much money the attacker stole, it provided a list of cryptocurrency addresses used by the hacker during the attack.

These addresses show that the hacker started stealing cryptocurrency from Bitcoin ATM servers on March 17, with the attacker’s Bitcoin address receiving 56.28570959 BTCworth approximately $1,589,000, and 21.79436191 Ethereum, worth about $39,000.

While the Bitcoin wallet still contains the stolen cryptocurrency, the threat actors appear to have used Uniswap to convert the stolen Ethereum into USDT.

Upgrade servers now

CAS (Crypto Application Server) administrators are encouraged to examine their “master.log” and “admin.log” log files for any suspicious time intervals caused by the attacker deleting log entries to conceal their actions on the device.

The General Byte report also warned that downloaded malicious JAVA applications would appear in “/batm/app/admin/standalone/deployments/” folder with random name. .war And .war.deployed files, as shown below.

The company notes that the filenames are likely different per victim.

Those who show no signs of a breach should always assume that all of their CAS passwords and API keys are compromised and immediately invalidate them and generate new ones. All user passwords should also be reset.

Detailed step-by-step instructions for all server operators on protecting their endpoints are included in the company’s statement.

Closing the cloud service

General Bytes says they’re shutting down its cloud service, saying it’s “theoretically (and practically) impossible” to protect it from bad actors when it must simultaneously provide access to multiple carriers.

The company will provide data migration support for those who wish to install their own standalone CAS, which should now be placed behind a firewall and VPN.

General Byte also released a CAS security patch that addresses the exploited vulnerability, provided in two patches, 20221118.48 and 20230120.44.

He also points out that the hacked system has undergone several security audits since 2021, but none identified the exploited vulnerability.

Additionally, researchers at cryptocurrency exchange Kraken found multiple vulnerabilities in General Bytes ATMs in 2021, which the company quickly corrected

However, even with these security audits, in August 2022, General Bytes had a security incident where hackers exploited a zero-day vulnerability in its ATM servers to steal cryptocurrency from its customers.

The company announced plans to conduct numerous security audits of its products by multiple companies over a short period of time to uncover and fix other potential flaws before bad actors find them.