Cryptocurrency ATM manufacturer General Bytes over the weekend disclosed a security incident that resulted in the theft of millions of dollars’ worth of funds.
“The attacker scanned the Digital Ocean cloud hosting IP address space and identified running CAS services on ports 7741, including the General Bytes Cloud service and other GB ATM operators running their servers on Digital Ocean (our recommended cloud hosting provider),” the company says.
The code execution provided the attackers with access to the database and access to API keys for accessing funds in hot wallets and exchanges.
The attackers were then able to transfer funds from hot wallets, steal account usernames and password hashes, and disable two-factor authentication.
Furthermore, the attackers gained the “ability to access terminal event logs and scan for any instance where customers scanned private key at the ATM”, information that was logged by older versions of ATM software.
“We urge all our customers to take immediate action to protect their funds and personal information,” General Bytes tweeted on March 18. The incident prompted most ATM operators in the US to suspend operations.
In a security bulletin detailing the incident, the company has shared information on the steps customers should take to secure their GB ATM servers (CAS) and underlined that even those that might not have been impacted by the incident should implement the recommended security measures.
“Please keep your CAS behind a firewall and VPN. Terminals should also connect to CAS via VPN. With VPN/Firewall attackers from open internet cannot access your server and exploit it. If your server was breached please reinstall the whole server including operation system,” the company notes.
The crypto ATM maker released a CAS security fix and urged customers to consider all user passwords and API keys to exchanges and hot wallets as being compromised and to change them. The company also shared the crypto addresses used in the hack and the attackers’ IP addresses.
While General Bytes did not share information on the number of impacted ATM operators and users, transaction logs show that the attackers stole roughly $1.5 million in Bitcoin (around 56 BTC) from roughly 15 operators. Funds were stolen in dozens of other cryptocurrencies as well.
The company said that, despite several security audits conducted since 2021, the vulnerability exploited in this attack was not identified prior to the incident.
Responding to a SecurityWeek inquiry, General Bytes said:
“The issue was addressed in a recent software update. However, operators are still implementing the solution. Additional placing of their infrastructure behind VPNs takes time. Operators that had their infrastructure behind VPN were not affected. Operators using the cloud our service are now installing self hosted servers which takes longer.
We are closing our cloud service as we don’t see that as a safe solution for the future. ATM operators need to operate servers on their own infrastructure.”
General Bytes also said it has yet to determine the extent of the theft: “We don’t have the final numbers yet. We are still collecting the information from operators. As of now we still work with damage of around 56 BTC.”
Related: Dero, Monero Cryptojackers Fighting for Same Kubernetes Clusters
Related: Fraudulent “CryptoRom” Apps Slip Through Apple and Google App Store Review Process
Related: Cyber Insights 2023 | Quantum Computing and the Coming Cryptopocalypse