Bitcoin ATM maker General Bytes revealed that unidentified threat actors stole cryptocurrency from hot wallets by exploiting a zero-day security flaw in its software.
“The attacker was able to remotely upload his own java application via the main service interface used by terminals to upload videos and run it using ‘batm’ user privileges,” the company said in a warning published over the weekend.
“The attacker scanned the Digital Ocean cloud host’s IP address space and identified running CAS services on ports 7741, including the General Bytes Cloud service and other GB ATM operators running their servers on Digital Ocean,” it further added.
The company said the server to which the malicious Java application was uploaded was configured by default to launch applications found in the deployments folder (“/batm/app/admin/standalone/deployments/”).
By doing this, the attack allowed the threat actor to gain access to the database; read and decrypt API keys used to access funds in hot wallets and exchanges; send funds from wallets; download usernames, password hashes and turn off two-factor authentication (2FA); and even access to terminal event logs.
It also warned that its own cloud service as well as other operators’ standalone servers were infiltrated as a result of the incident, prompting the company to shut down the service.
In addition to encouraging customers to keep their crypto application servers (CAS) behind a firewall and a VPN, it is also recommended to rotate all users’ passwords and API keys to exchanges and hot wallets.
“The CAS security fix is provided in two server patch releases, 20221118.48 and 20230120.44,” General Bytes said in the announcement.
The company further emphasized that it had conducted several security audits since 2021, and that none of them flagged this security issue. It appears to have been unpatched since version 20210401.
Discover the hidden dangers of third-party SaaS apps
Are you aware of the risks associated with third-party app access to your company’s SaaS apps? Join our webinar to learn about the types of permissions granted and how to minimize your risk.
RESERVE YOUR SEAT
General Bytes did not disclose the exact amount stolen by the hackers, but an analysis of the cryptocurrency wallets used in the attack reveals the receipt of 56,283 BTC ($1.5 million), 21,823 ETH ($36,500) and 1,219,183 LTC ($96,000). .
The ATM hack is the second breach targeting General Bytes in less than a year, with another zero-day flaw in its ATM servers being exploited to steal crypto from customers in August 2022.
