Attackers Have Siphoned Cryptocurrency from Bitcoin ATMs
Here’s how attackers targeted Bitcoin ATMs and stole US$1.5 million in cryptocurrency
Unidentified miscreants stole more than US$1.5 million in cryptocurrency from Bitcoin ATMs by exploiting an unknown flaw in digicash delivery systems. The attackers used an interface designed to upload videos to instead inject a malicious Java application and then subverted ATM user privileges.
The company that sold the ATMs and managed some of them with a cloud service.
They stole at least 56 Bitcoin (about US$1.5 million at the time of publication) from crypto wallets. General Bytes released a patch 15 hours after discovering the intrusion, but the digital coins had vanished by then, leaving an unknown number of victims liable for the lost money. The entire team has been working around the clock to collect all data regarding the security breach and is continuously working to resolve all cases to help clients get back online and continue to operate their ATMs as soon as possible. Companies that purchased General Bytes ATMs were notified to shut down their systems.
The supplier, which is headquartered in Prague and has a US office in Bradenton, Florida, sells and operates five different models of cryptocurrency ATMs. They are used by people to exchange Bitcoin and other currencies.
General Bytes claims to have sold over 15,000 terminals in 149 countries, supporting over 180 currencies. More than 15.2 million transactions have been processed by the systems. Businesses that purchase ATMs connect them to a crypto application server (CAS) managed by the customer or, until recently, General Bytes via cloud service provider DigitalOcean.
The attackers used a vulnerability that had gone undetected despite multiple security audits since 2021 in the weekend breach.
The bad guys scanned DigitalOcean’s IP address space and discovered Crypto Application Server (CAS) services on port 7741, which included General Bytes’ cloud service and other customers who hosted their ATMs on DigitalOcean. Using this security vulnerability, the attacker uploaded his application directly to the application server used by the admin interface, the ATM vendor confessed. By default, the application server was configured to start applications in its deployment folder. The intruders gained access to the database, read and decrypted API keys and exchanges, and stole digital coins from wallets. They could also download usernames and password hashes, disable multifactor authentication, look through terminal event logs, and look for instances where users scanned private keys at terminals.
This is the second such attack on General Bytes; in August 2022, miscreants stole digital coins by exploiting a flaw in the CAS. Hot wallets are a particular issue in the high-risk cryptocurrency market. Wallets would be safer if they were not connected to the internet, but users rely on them for fast transactions, which necessitates connectivity. The entire purpose of hot wallets is to provide an instant ability to make transactions. However, the security of any wallet is directly related to the security of the private key. It’s game over if someone gets that – which can be copied. All of the layers of fraud protection do not and cannot apply to cryptocurrency.
General Bytes has announced the shutdown of its cloud services, citing the fact that it is theoretically (and practically) impossible to secure a system granting access to multiple operators at the same time, where some of them are bad actors. Customers will now manage their terminals through their servers. General Bytes will assist businesses in migrating data from the cloud to standalone servers. It also advises customers to keep their CAS behind a firewall and VPN to prevent other attackers from accessing them via the internet.
They should also assume that all of their users’ passwords and API keys to exchanges and hot wallets have been compromised.