General Bytes, a leading Bitcoin ATM manufacturer, revealed that hackers exploited a zero-day vulnerability in its BATM management platform to steal cryptocurrency from the company and its customers. The company makes Bitcoin ATMs that allow users to buy or sell more than 40 cryptocurrencies, and customers can deploy their ATMs using standalone management servers or General Bytes cloud service.
The zero day vulnerability attack
The company reported that hackers used a zero-day vulnerability known as BATM-4780 to upload a Java application via the ATM’s master service interface and run it with ‘batm’ user privileges. The attacker scanned the Digital Ocean cloud hosting IP address space to identify running CAS services on ports 7741, including the General Bytes Cloud service and other GB ATM operators running their servers on Digital Ocean, which is the recommended cloud hosting provider. The hackers were then able to perform various actions on the compromised devices.
The stolen cryptocurrency is worth approximately $1.5 million, and the attacker’s Bitcoin address received 56.28570959 BTC and 21.79436191 Ethereum. Although the Bitcoin wallet still contains the stolen cryptocurrency, the attackers converted the Ethereum into USDT using Uniswap.
Response to zero day vulnerability attack
General Bytes has urged its customers to take immediate action and install the latest updates to protect their servers and funds from attackers. The company has also released a CAS security fix that addresses the exploited vulnerability, provided in two patches, 20221118.48 and 20230120.44. The company’s report also warned that malicious JAVA applications would appear in the “/batm/app/admin/standalone/deployments/” folder as random-named .war and .war.deployed files, and those without signs of a breach should consider all their CAS passwords and API keys compromised and immediately invalidate them and generate new ones.
Data migration
The company is also providing support with data migration to those who would like to install their own standalone CAS, which should now be placed behind a firewall and VPN. General Bytes has announced the shuttering of its cloud service, stating that it is “theoretically (and practically) impossible” to secure it from bad actors when it must simultaneously provide access to multiple operators.
The company will also conduct numerous security audits of its products by multiple companies in a short period to discover and fix other potential flaws before bad actors find them. General Bytes warns that although the breached system underwent multiple security audits since 2021, none identified the exploited vulnerability.
Recap
The recent hack of General Bytes Bitcoin ATMs highlights the critical need for security measures in the cryptocurrency industry. With the increasing use of cryptocurrencies, hackers are becoming more sophisticated, and companies must prioritize security measures to protect their customers’ funds. The incident also emphasizes the importance of regular security audits and updates to prevent zero-day vulnerabilities from being exploited. General Bytes’ response to the attack, including the release of security patches and the shuttering of its cloud service, demonstrates the importance of swift and decisive action in the face of a security breach. The company’s decision to conduct numerous security audits by multiple companies in a short period further highlights its commitment to ensuring the security of its products and customers.
