General Bytes crypto ATMs hacked

icon BTC
icon ETH
Photo - General Bytes crypto ATMs hacked
General Bytes (GB), a well-known manufacturer of cryptocurrency ATMs, recently reported that their cloud platform had been hacked. The attacker installed malicious software, gaining access to user assets and stealing over $1.6 million worth of BTC and ETH.
According to General Bytes’ security bulletin, the attacker discovered the security vulnerability, which allowed them to remotely upload their Java applications onto the company's crypto ATMs. This gave the attacker access to user information and other sensitive data and enabled them to steal cryptocurrency from hot wallets. In response to the incident, the company has halted the operation of its cloud service. However, it's worth noting that ATMs connected to third-party servers remain vulnerable to similar attacks.
The hacker gained the ability to access the database; read and decrypt API keys used to access funds in hot wallets and exchanges; send funds from hot wallets; download user names, their password hashes, and turn off 2FA
reported General Bytes founder Karel Kyovsky.

Details of the attack on General Bytes

The attacker exploited a zero-day security flaw (tracked as BATM-4780 within the company), gaining access to the network through the BATM crypto ATM management platform.

According to the bulletin, the hacker scanned the IP addresses of the Digital Ocean cloud hosting (used by General Bytes) and identified running CAS (Crypto Application Server) services on ports 7741, including General Bytes Cloud service and other GB ATM operators.

The hacker was able to remotely upload a Java app via the master service interface used by terminals to upload videos and run it using batm user privileges. This allowed them to gain unauthorized access to the CAS server. By default, the CAS application server is configured to automatically start applications from a specific "default" directory.

Company's response

In response to the attack, General Bytes representatives immediately took to Twitter to urge partners and agents using GB cryptocurrency ATMs to take prompt action and install the latest updates. These updates were swiftly developed to safeguard servers and assets against malicious attacks.

Once the Java program was uploaded, the hackers were able to perform the following actions on compromised devices:

  • Access the database;
  • Read and decrypt API keys used to access funds in hot wallets and exchanges;
  • Send funds from hot wallets;
  • Download usernames, password hashes, and turn off 2FA;
  • Access terminal event logs and scan for any instance where customers scanned private keys at the ATM. Older versions of ATM software were logging this information.

The company not only revealed the stolen amount but also released a list of cryptocurrency wallet addresses that were used during the attack. According to General Bytes, the attacker initiated the withdrawal of cryptocurrency from the Bitcoin ATM servers as early as March 17th and received over 56 BTC, valued at around $1.589 million, and over 21 ETH, worth almost $39,000 at current exchange rates.

Even though the hacker still holds the stolen cryptocurrency in their wallets, they can easily exchange it for other assets using any DEX like Uniswap or a crypto mixer.

Cloud service shutdown

Representatives from General Bytes have announced that the company is shutting down its cloud service. They stated that it’s virtually impossible to fully protect the service from hacker attacks while still providing access to multiple operators.

Instead, all clients will be migrated to their own independent CAS servers, rather than relying on a centralized solution.

The company will offer assistance with data migration for partners and agents who have opted to set up their own autonomous CAS. These servers must be put behind a firewall and VPN to ensure security.

General Bytes acted swiftly and released two sets of updates (patches) (20221118.48 and 20230120.44) within a remarkable 15-hour timeframe, effectively addressing the identified vulnerability in the CAS security.

The company is working to gather data from affected customers to verify financial losses. They are also cooperating with law enforcement agencies to help identify the perpetrator.

According to information from General Bytes, the company plans to conduct numerous security checks on its products and services in the near future to detect and address any potential vulnerabilities before they can be exploited by malicious actors.

This is a very wise and timely response!

About the company

General Bytes is a leading global manufacturer of crypto ATMs based in Prague, Czech Republic, with offices in the United States, United Kingdom, Estonia, and Panama. The company has owned and operated over 13,700 ATMs in 143 countries since 2013, allowing users to purchase over 40 different crypto assets with cash or payment cards.