General Bytes Bitcoin ATMs Hacked to Steal Funds

A leading provider of Bitcoin ATMs is urging clients to upgrade their systems immediately after revealing hackers exploited a zero-day vulnerability in its software last weekend to steal funds.

General Bytes explained in an advisory that the bug itself was found in the master service interface used by Bitcoin ATMs to upload videos to the server.

“The attacker scanned the Digital Ocean cloud hosting IP address space and identified running CAS [Crypto Application Server] services on ports 7741, including the General Bytes Cloud service and other GB ATM operators running their servers on Digital Ocean (our recommended cloud hosting provider),” it continued.

“Using this security vulnerability, [the] attacker uploaded his own application directly to [an] application server used by [the] admin interface. Application server was by default configured to start applications in its deployment folder.”

After uploading the Java app to the master service interface used by the ATMs, the threat actor was able to perform a range of actions including:

  • Accessing the database
  • Reading and decrypting API keys used to access funds in hot wallets and exchanges
  • Sending funds from hot wallets
  • Downloading usernames and password hashes and switching off two-factor authentication
  • Accessing terminal event logs and scanning for any instance where customers scanned private keys at the ATM

General Bytes said that, as well as other operators’ standalone servers, its own cloud service was breached by its attackers.

It urged any ATM operator to immediately patch their CAS software and consider all users’ CAS passwords and API keys to exchanges and hot wallets to have been compromised. As a result, they should reset passwords and generate new API keys/invalidate the old ones.

Read more on cryptocurrency ATMs: FCA: Crypto ATMs Are Illegal in the UK.

General Bytes is shutting its cloud service as a result of the attack.

“It is theoretically (and practically) impossible to secure a system granting access to multiple operators at the same time where some of them are bad actors. You’ll need to install your own standalone server. GB support will provide you with help you to migrate your data from the GB Cloud to your own standalone server,” it explained.

“Please keep your CAS behind a firewall and VPN. Terminals should also connect to CAS via VPN.  With VPN/Firewall, attackers from [the] open internet cannot access your server and exploit it. If your server was breached please reinstall the whole server including operation system.”

General Bytes missed the zero-day bug despite claiming to have conducted “multiple security audits” since 2021.