Cryptocurrency ATM operator General Bytes says a certain vulnerability allowed a hacker to drain around $1.5 million.
The General Bytes team also confirmed that their Cloud servers were breached.
In a blog post, the firm noted that on the night of 17-18 March, it was “the most challenging time for them and some of their clients.”
The entire team has been “working around the clock to collect all data regarding the security breach and is continuously working to resolve all cases to help clients back online and continue to operate their ATMs as soon as possible.”
The firm is apologizing “for what happened and will review all their security procedures and are currently doing everything we can to keep our affected customers afloat.”
The General Bytes Cloud service and other standalone servers “run by operators suffered security breaches.”
The firm says they “noticed the first signs of a break-in on Friday night, right after midnight on Saturday, 18 March (UTC+1).”
They notified customers “to shut down their CAS servers as soon as possible.”
The attacker could “upload his java application remotely via the master service interface used by terminals to upload videos and run it using BATM user privileges.”
As a result, the attacker could “send funds from hot wallets, and at least 56 Bitcoins were stolen before we could release the patch.” The patch was “released within 15 hours.”
Here is what happened:
- The attacker identified a security vulnerability in the master service interface used by Bitcoin ATMs to upload videos to the server.
- The attacker scanned the Digital Ocean cloud hosting IP address space and identified running CAS services on ports 7741, including the General Bytes Cloud service and other GB ATM operators running their servers on Digital Ocean (our recommended cloud hosting provider).
- Using this security vulnerability, the attacker uploaded his application directly to the application server used by the admin interface. The application server was, by default, configured to start applications in its deployment folder.
As mentioned on the update, the firm “concluded multiple security audits since 2021, and none of them identified this vulnerability.”
This resulted in the following:
- Ability to access the database.
- Ability to read and decrypt API keys to access funds in hot wallets and exchanges.
- Send funds from hot wallets.
- Download user names and their password hashes and turn off 2FA.
- Ability to access terminal event logs and scan for any instance where customers scanned private keys at the ATM. Older versions of ATM software were logging this information.
GENERAL BYTES is “closing its cloud service.”
From now on, all of their customers will “manage their ATMs using their stand-alone servers.”
They have already “provided customers with instructions and guidance on migration, and we hope they understand it’s better for all of us.”
They are “collecting data from ther clients to validate all the losses; along with internal investigation, they will cooperate with authorities to do everything we can to identify the perpetrator.”
Even though they have made multiple security audits since 2021, this vulnerability “has been undiscovered in their product since version 20210401.”
The firm also mentioned:
“We would like to conduct asap multiple independent security audits of our product as we see now the importance of having various audits by several companies.”
For more details on this update, check here.