Major crypto ATM manufacturer General Bytes has disclosed a security breach, where hackers stole over $1.5 million in cryptocurrency using a zero-day vulnerability in its software.
The incident took place on March 17-19, the crypto ATM manufacturer said.
According to a security advisory published by General Bytes, the threat actor uploaded a malicious Java application remotely via the master service interface used by terminals to upload videos and run it using batm user privileges. This allowed the attacker to access the database, read and decrypt API keys used to access funds in hot wallets and exchanges, steal funds from hot wallets, download user names with their password hashes and turn off two-factor authentication, as well as access terminal event logs and scan for any instance where customers scanned private key at the ATM.
The company describes the attack scheme as follows:
1. The attacker identified a security vulnerability in the master service interface used by Bitcoin ATMs to upload videos to server.
2. The attacker scanned the Digital Ocean cloud hosting IP address space and identified running CAS services on ports 7741, including the General Bytes Cloud service and other GB ATM operators running their servers on Digital Ocean.
3. Using this security vulnerability, attacker uploaded his own application directly to application server used by admin interface. Application server was by default configured to start applications in its deployment folder.
General Bytes noted that it has conducted multiple security audits since 2021 and none of them revealed the presence of the zero-day vulnerability exploited in this attack. The company said it shutdown its cloud service as “it is theoretically (and practically) impossible to secure a system granting access to multiple operators at the same time where some of them are bad actors.”
Last August, General Bytes suffered a similar incident, which saw threat actors made off with cryptocurrency stolen through the exploitation of a zero-day bug in General Bytes Bitcoin ATM servers.