General Bytes – The company behind the making of Bitcoin ATMs confirmed that a hacker exploited a zero-day security flaw in their ATMs and was able to upload his java program to access the users’ hot wallets.
Zero-Day Security Flaw in General Bytes Bitcoin ATMs.
The company has confirmed that the hacker could upload his java application from a master service interface remotely and has used terminals to upload and run his videos using “batm” user privileges. The hacker could scan and identify the Digital Ocean’s Cloud hosting IP and thus identify the ports, enabling the hacker to access the General Bytes’ other services running on the Digital Ocean.
General Bytes further revealed that the server to which the hacker had uploaded the java application was, by default, configured to run the applications in the deployment folder (/batm/app/admin/standalone/deployments/). Now the hacker could access the database; download usernames, and password hashes, read and decrypt API keys used to access funds in hot wallets and exchanges; send funds from the wallets; turn off two-factor authentication (2FA); and even access terminal event logs.
This attack resulted in the service’s shutdown, but the Bitcoin ATM maker General Byters still has not cleared the number of funds stolen due to this zero-day security flaw. But as per the wallet analysis, it has been discovered that 56.283 BTC ($1.5 million), 1,219.183 LTC ($96,500), and 21.823 ETH ($36,500) have been transferred to the attacker’s wallet during the time of exploit.
General Bytes has warned the users to keep their CASs (Crypto Application Servers) behind the firewall and use VPN to access the same. Also, they have advised rotating the passwords and 2FAs, and APIs to the exchanges and the hot wallets. The company has issued the patches to 2 servers, 20221118.48 and 20230120.44. As per General Bytes, the company has gone through various security audits since 2021 but could not find this bug, and the bug can be remained unpatched since the update 20210401.
This was the second time hackers used a zero-day security flaw to target the General Bytes in less than a year. The last attack was in August 2022.