General Bytes Bitcoin ATM hit by Zero day bug. Stay updated on the security implications and actions needed to protect your crypto assets. Bitcoin ATM manufacturer General Bytes was hacked, with hackers siphoning off cryptocurrencies worth about $1.5 million. This happened after a zero-day flaw in the ATM’s server was exploited by attackers.
The attackers uploaded a Java application through the master service interface that allows ATMs to upload videos and run it with “batm” user privileges. This allowed them to access the ATM’s database, read and decrypt encoded API keys; download usernames and password hashes; and turn off two-factor authentication.
Using a Zero-Day Vulnerability to Steal Cryptocurrency
A zero day vulnerability is a flaw in software or hardware that hackers know about but the company responsible for fixing it hasn’t. Hackers exploit the flaw and use it to adversely affect programs, data or additional computers. Once a hacker discovers a zero day vulnerability, they can attack and steal information or money before the vendor fixes it.
When a security flaw is discovered, it’s often disclosed to the software developer by an ethical hacker or white hat. The white hat can choose to privately disclose the flaw to the software maker, allowing them to fix it before criminal hackers take advantage of it. However, the white hat can also decide to sell the vulnerability to the criminal underground for profit.
Once a zero day bug crypto hacker finds a vulnerability, they can attack it and steal the information or money that the victim intended to share. This is why it’s so important to only connect to trusted Wi-Fi networks and keep all software and devices updated.
This week, a cryptocurrency ATM producer was attacked by hackers who took control of its servers and siphoned off 56 bitcoin, worth more than $1.5 million at current prices. The hackers used a zero day flaw in the company’s Crypto Application Server (CAS) to gain access to its customers’ bitcoin wallets and drained their funds.
The attack was successful because the hackers were able to create a default admin user via the CAS administrative interface. They then tampered with the preset “buy,” “sell,” and “invalid transaction address” settings to redirect deposited cryptocurrency to their own wallets.
General Bytes believes the attacker scanned for exposed servers on the internet, including those hosted by Digital Ocean and its own cloud service. Once they found an open port, they added a default administrator user named “gb” to the CAS. Then, they tampered with the CAS’s “buy” and “sell” crypto settings to direct any cryptocurrency sent to it to their own wallets.
This is a common way for hackers to gain access to a person’s computer and steal their private keys and funds. Once the hackers have your private keys, they can spend your bitcoins and steal other types of cryptocurrency as well. This is why you should only trust the most secure cryptocurrency exchanges.
General Bytes’ Servers Exploited
During the weekend, hackers exploited an unpatched vulnerability in servers at crypto ATM manufacturer General Bytes to steal digital coins from their customers. The company, one of the three largest crypto ATM manufacturers in the world, disclosed that attackers stole about $1.5 million worth of cryptocurrency from a number of its ATMs. The company believes that the hackers exploited a weakness in its BATM management platform.
Specifically, the attack used a zero-day bug to take advantage of the ATMs’ master service interface on port 7741, which is designed for uploading videos. The hackers were able to remotely upload a Java application and run it with batm user privileges. This allowed them to gain access to the ATMs’ database, API keys, hot wallets, and other information including user names and password hashes.
Once the hacker had access to this information, they could tamper with the ATMs’ buy and sell settings to channel incoming cryptocurrency into their own wallets. This is what caused the heist of around 56 bitcoin, or about $1.5 million, from the affected machines.
The hack also gave the hackers the ability to access a number of user accounts and change their passwords to gain control of them. It’s unclear how many users were impacted by this security breach, but General Bytes says that it is notifying all of its customers who operate the machines.
General Bytes is now shuttering its cloud service and advising all ATM owners to install their own standalone CAS servers, which it suggests should be placed behind a firewall and VPN. It’s also providing support with data migration for those who would like to do this.
This hack serves as a reminder that even if a business has a strong cybersecurity system, there is always a chance that hackers will find a way to get into it and steal digital currency or other valuable data. That’s why it is critical to stay up-to-date with all patches and updates, and conduct regular security audits. It’s also important to separate your cryptocurrency from the rest of your personal assets, so that in the event of a breach you can limit the impact.
General Bytes Discloses the Security Breach
A Czech-based company that claims to be the world’s largest crypto ATM manufacturer has disclosed a security breach involving its machines. According to a company statement published on March 18 that was updated later, hackers were able to exploit a zero-day vulnerability in its ATM software to steal $1.5 million worth of cryptocurrency from customers who used the ATMs to exchange cash for bitcoin and other digital assets.
The hackers were able to exploit the ATM management platform, called BATM, by remotely uploading a Java application through the master service interface with batm user privileges. This allowed them to access the database and read and decrypt API keys that could be used to access funds on exchanges and “hot” cryptocurrency wallets. Additionally, the attackers were able to download user names and password hashes, access terminal event logs, and turn off two-factor authentication.
General Bytes is urging its customers to take measures to protect themselves against future attacks. It has released patches for its ATM software that should be installed on both the ATM server (CAS) and terminals themselves. The company also recommends that users of its ATMs keep their CAS servers behind a firewall and VPN.
Karel Kyovsky, the CEO of General Bytes, noted that he was “very disappointed” by the attack and apologized for any inconvenience caused to the customers. However, he added that he is confident the company can secure its products from such attacks in the future. “We’ve concluded multiple security audits since 2021 and none of them identified the vulnerable mechanism,” he said.
It is not the first time that General Bytes has been the victim of a security breach, either. Hackers were able to gain control of its servers in August 2022 and make changes that would allow them to steal cryptocurrency. It has long been recommended by cybersecurity experts that bitcoin users avoid using internet-connected wallets, or “hot” wallets, in favor of cold wallets, which are stored offline.
The zero-day vulnerability exploited by the hackers is tracked as BATM-4780, and is part of a larger set of vulnerabilities that affects many different platforms, including Android devices. The exploit can be used to target a wide range of applications, from banking to gaming and social media. It can be used by threat actors who support cyber warfare or for financial gain, as well as by hacktivists and activists seeking to promote their causes.
General Bytes Closes its Cloud Service
Bitcoin ATM manufacturer General Bytes recently shut down its cloud service and urged all operators to use standalone servers following the discovery of a security vulnerability that allowed an attacker to steal crypto. The company said that the hacker was able to remotely upload and run a Java application via the master service interface into its terminals that allowed them to access user information and funds stored in hot wallets.
According to the notice posted by Karel Kyovsky, the founder of the Czech-based firm, the attack was successful as the malware enabled attackers to access the bank’s database; read and decrypt API keys that allow users to access their exchange or hot wallets; download usernames, password hashes, turn off two-factor authentication, and scan for devices scanning their private keys at an ATM (which older versions of General Bytes software would log). On-chain transactions indicate that 56 BTC was stolen in total from about 15 ATM operators.
The attack happened on March 17-18 and exploited a vulnerability in the master service interface. It enabled the attacker to scan for CAS servers hosted on Digital Ocean, which General Bytes recommends its customers use to host their ATMs (it also offers standalone management). The attackers then inserted their malicious Java application, which ran on the server when logged in as admin. By default, the server was configured to start applications in the deployment folder, which the attacker took advantage of.
In the notice, General Bytes said that while the attack could have been prevented by properly configuring a dedicated IP address for the CAS server, the attacker used a public IP address to gain access. The company advised all impacted ATM owners to consider their passwords, API keys for hot wallets, and accounts on cryptocurrency exchanges as compromised and change their credentials.
While the amount stolen was relatively small, it was still an unpleasant surprise for the General Bytes community. The company has since issued a security fix for the ATM’s Crypto Application Server and urged all ATM operators to install the patches. It also encouraged them to keep CAS and their ATMs behind a firewall and VPN.
