Bitcoin ATM maker General Bytes disclosed that unidentified threat actors stole cryptocurrency from hot wallets by exploiting a zero-day security flaw in its software.
"The attacker was able to upload his own java application remotely via the master service interface used by terminals to upload videos and run it using 'batm' user privileges," the company said in an advisory published over the weekend.
"The attacker scanned the Digital Ocean cloud hosting IP address space and identified running CAS services on ports 7741, including the General Bytes Cloud service and other GB ATM operators running their servers on Digital Ocean," it further added.
The company said that the server to which the malicious Java application was uploaded was by default configured to start applications present in the deployment folder ("/batm/app/admin/standalone/deployments/").
In doing so, the attack allowed the threat actor to access the database; read and decrypt API keys used to access funds in hot wallets and exchanges; send funds from the wallets; download usernames, password hashes, and turn off two-factor authentication (2FA); and even access terminal event logs.
General Bytes, according to its website, has sold more than 15,137 terminals in 149 countries. It supports over 180 fiat currencies and has collectively performed nearly 22.6 million transactions worldwide.
The BATMs are designed to connect to a crypto application server (CAS), which are either managed by the customer or by the company itself on the cloud via infrastructure provided by DigitalOcean.
It also warned that its own cloud service as well as other operators' standalone servers were infiltrated as a result of the incident, prompting the company to shutter the service.
In addition to urging customers to keep their crypto application servers (CASs) behind a firewall and a VPN, it's also recommending to rotate all users' passwords and API keys to exchanges and hot wallets.
"The CAS security fix is provided in two server patch releases, 20221118.48 and 20230120.44," General Bytes said in the advisory.
The company further emphasized that it had conducted multiple security audits since 2021 and that none of them flagged this vulnerability. It appears to have been unpatched since version 20210401.
General Bytes did not disclose the exact amount of funds stolen by the hackers, but an analysis of the cryptocurrency wallets used in the attack reveals the receipt of 56.283 BTC ($1.5 million), 21.823 ETH ($36,500), and 1,219.183 LTC ($96,500).
The ATM hack is the second breach targeting General Bytes in less than a year, with another zero-day flaw in its ATM servers exploited to steal crypto from its customers in August 2022.
