Bitcoin ATMs sold and managed by General Bytes were hacked into by attackers using an interface designed to upload videos to inject a malicious Java payload which stole at least 56 Bitcoin (roughly $1.5 million at the time of writing) from crypto wallets on March 17. The first signs of intrusion were discovered on March 18 and General Bytes issued a patch fixing the vulnerability within 15 hours, but an unknown number of crypto owners had already lost their money by then.
General Bytes sold these ATMs and monitored some of them with a cloud service. According to the company’s official statement, the attacker(s) identified a vulnerability in the master service interface used by Bitcoin ATMs to upload videos to the server. The attacker then scanned the Digital Ocean cloud hosting IP address space and identified running CAS services on port 7741. This included the General Bytes Cloud service and other company ATM operators running their servers on Digital Ocean.
Finally, by exploiting the vulnerability the attacker was able to upload a custom application directly to the application server used by the admin interface. The application server was by default configured to start applications in its deployment folder, giving the attacker BATM access and the ability to transfer funds from hot wallets.
Overall, exploiting the now-patched vulnerability gave the attacker the ability to do the following tasks:
- Access databases
- Read and decrypt API keys to access funds in hot wallets and exchanges
- Transfer funds from hot wallets
- Download usernames and password hashes and turn off 2FA
- Access terminal event logs and scan for instances where customers scanned private keys at the ATM. This information was logged by an older version of the ATM firmware.
The company further added that it conducted several security audits since 2021, but none of them revealed the vulnerability. It then asked the customers to shut down their CAS servers as soon as possible as the attacker could upload their application remotely via the master service interface and has strongly advised against restarting them before applying the recommended security fixes.
This is General Byte’s second breach in seven months and moving forward, the company is shuttering its cloud service, asking clients to manage their own ATMs using their own standalone servers. Customers have already been provided with instructions and guidance on the migration with the company hoping they “understand it’s better for all of us”. Additionally, General Bytes is also collecting data from its clients to validate losses along with running an internal investigation.