A leading Bitcoin ATM provider is urging clients to upgrade their systems immediately after it was revealed last weekend that hackers exploited a zero-day vulnerability in its software to steal funds.
In an advisory, General Bytes explained that the bug itself was found in the master service interface used by Bitcoin ATMs to upload videos to their servers.
“The attackers scanned the Digital Ocean Cloud hosting IP address space and identified CAS in action. [Crypto Application Server] Services on port 7741, including the General Bytes Cloud service and other GB ATM operators running servers on Digital Ocean (our preferred cloud hosting provider).
“We used this security vulnerability to [the] Attacker uploaded his application directly [an] application server used by [the] management interface. The application server was configured by default to launch applications in the deployed folder. ”
After uploading a Java app to the master service interface used by ATM, the attacker was able to perform various actions including:
- Accessing the database
- Read and decrypt API keys used to access funds in hot wallets and exchanges
- Remittance from hot wallet
- Download username and password hashes and disable two-factor authentication
- Access to terminal event logs and scans for instances where customers have scanned private keys at ATMs
General Bytes says its cloud services, as well as other operators’ standalone servers, have been compromised by attackers.
It urged ATM operators to patch their CAS software immediately, deeming all users’ CAS passwords and API keys to exchanges and hot wallets compromised. As a result, you will need to reset your password, generate a new API key, or revoke your old API key.
For more information on cryptocurrency ATMs, see FCA: Crypto ATMs are illegal in the UK.
General Bytes is shutting down its cloud services as a result of the attack.
“It is theoretically (and practically) impossible to secure a system that allows access to multiple operators simultaneously. You would have to install your own standalone server. It helps you migrate your data from the cloud to your own standalone server.”
“Keep the CAS behind a firewall and VPN. Your device should also be connected to the CAS via VPN. Using a VPN/firewall will [the] The open internet cannot access and exploit servers. If your server is compromised, reinstall the entire server, including the operating system. ”
General Bytes missed a zero-day bug despite claiming to have conducted “multiple security audits” since 2021.
