The manufacturer of General Bytes Bitcoin ATMs has reported that hackers stole digital currency from their company and customers by exploiting a zero-day vulnerability in their BATM management platform.General Bytes Bitcoin ATMs allow users to buy or sell over 40 types of cryptocurrencies. Customers can deploy their ATMs using either an independent management server or a cloud service provided by General Bytes.
Over the weekend, the company revealed that hackers had exploited a zero-day vulnerability identified as BATM-4780 to upload a Java application through the ATM's main service interface.
"The attacker scanned the Digital Ocean cloud server IP range and identified CAS services running on port 7741, including the General Bytes Cloud service and other third-party services running on the Digital Ocean server."
General Bytes is urging customers to install the latest updates immediately to protect their servers and funds from attackers.
The uploaded Java application will allow hackers to perform unauthorized actions on the compromised device, including:
Accessing the database.
Reading and decrypting API keys used to access funds in hot wallets and exchanges.
Transferring funds from hot wallets.
Gathering usernames, password hashes, and disabling 2FA.
Accessing event logs and scanning any servers that customers have scanned private keys on the ATM. Older versions of the ATM software have recorded this information.
General Bytes warns that their customers and cloud services have been compromised in the attacks: "General Bytes Cloud service as well as independent user servers have been compromised."
The company has revealed the amount of cryptocurrency stolen and a list of the wallet addresses used by the hackers in the attack.
The disclosure shows that the hackers began stealing cryptocurrency from General Bytes Bitcoin ATMs on March 17, and the Bitcoin address of the attacker received 56.28570959 BTC, worth about $1.589 million, and 21.79436191 Ethereum, about $39,000.
Signs of compromise
CAS administrators should quickly check their "master.log" and "admin.log" log files for any suspicious traces that the attackers may have left behind when deleting log records to conceal their actions on the device.
General Byte's report indicates that the malicious JAVA applications uploaded will appear in the "/batm/app/admin/standalone/deployments/" directory as randomly named .war and .war.deployed files and may differ for each victim.
Those who do not discover any signs of compromise should still consider changing all their passwords, including their CAS password and API keys.
General Bytes has suspended its cloud service, explaining that "it is theoretically (and practically) impossible" to protect it from bad actors while simultaneously providing access to the service for multiple users.
The company says it will support data migration for those who want to install their own independent CAS, and recommends users to use firewalls and VPNs to protect these servers.
General Byte has also released a security patch for the CAS in version 20221118.48 and 20230120.44 to address the exploited vulnerability.
Earlier, in August 2022, General Bytes experienced a security incident in which hackers exploited a zero-day vulnerability in their ATM server to steal customers' digital currency.
The company says it is planning to conduct multiple security audits of its products in the future to detect and fix other potential vulnerabilities before bad actors discover them.