General Bytes Hacked

The leading crypto ATM developer has reported of a recent hacker’s attack. The attackers stole the company’s and users’ crypto assets by making use of a so-called zero-day vulnerability (a specific software vulnerability, causing a zero-day exploit, which was active for a short period of time. This type of vulnerabilities are overlooked during preliminary security testing procedures, hence the name as the developers had zero days to find the vulnerability and build the defense). The new vulnerability has received the name of BATM-4780. It concerns the Java app remote booting using the maim ATM interface and the following BATM user privileged application boot.

The attack was reported to have been committed the previous weekend. ‘The hackers scanned the IP space of the Digital Ocean cloud hosting and detected running CAS services (including the General Bytes service and other ATM operators which keep their services at Digital Ocean, a recommended cloud hosting provider) at 7741 ports,’ the company representative explains.

The Czech company General Bytes owns and operates fifteen thousand crypto ATMs in more than 120 countries all over the globe. Such devices enable users to trade more than forty types of crypto assets and are controlled by a Crypto Application Server (CAS). It even allows clients to set up their own ATMs using the General Bytes cloud service or stand-alone servers.

By using the ‘unfortunate bug’ on compromised devices the attackers managed to gain access to databases and sensitive personal information (such as usernames and password hash), to read and decrypt API keys used to access hot wallets and exchanges, and transfer assets from hot wallets. Moreover, they managed to get access to event logs in order to find the event records of private key use.

The company does not disclose the information about the amount stolen, yet, they handed out a list of wallets, used by hackers during the attack process. The logs show that the crypto heist started on March, 17^th (when a bitcoin address received a sum of 56,28570959 BTC, which equals about 1,589,000 USD, and another address received a sum of 21,79436191 Ethereum which equals about 39,000 USD). The BTC are supposed to be stored in the attacker’s wallet, while the attacker seemed to have transferred the Ethereum assets somewhere already by means of Uniswap.

General Bytes has launched a report with a warning that harmful malware can be found in /batm/app/admin/standalone/deployments/ folder in a randomly named ‘.war’ or ‘.war.deployed’ file. The users are advised to generate new API keys. CAS administrative staff should check ‘master.log’ and ‘admin.log’ in search for suspicious gaps, which might mean that the hackers erased records in order to disguise their malicious activity. Twitter also addressed their clients forcing them to update the security software and protective software immediately.

The company representatives announced they were going to close down the cloud service as it was hard to defend, especially because it needs to give access to various operators simultaneously. General Bytes will help with data migration for those who are going to run a personal CAS, which should also use a VPN and a firewall.

The company has declared that they are going to order a number of security audits and call for outside experts to detect and improve potential issues before hackers can find and use them. General Bytes developers have launched patches for CAS to get rid of 20221118.48 and 20230120.44 zero-day vulnerabilities.