Bitcoin ATMs Hacked – Attackers Exploiting a 0-Day Vulnerability in Its Platform

General Bytes, a Prague-based company, announced on 18 March that it had received a hacker warning saying it had remotely uploaded a Java application to its management platform to steal user information and funds in a hot wallet.

It is believed that the attacker could identify several CAS services running on port 7741 by scanning the IP address space of Digital Ocean, including the General Bytes Cloud service and other providers of GB ATM services.

The company’s website indicates that the company has sold over 15,000 Bitcoin ATMs around the globe to customers in close to 150 countries.

What Happened?

A customer can deploy a General Bytes ATM using a standalone management server or by using a cloud-based service that General Bytes offers. 

Using code execution, the attackers could access the database and API keys of hot wallets and exchanges to gain access to funds. 

This allowed the attackers to steal usernames and password hashes and disable two-factor authentication in the accounts, allowing them to transfer the funds from hot wallets.

Ability to Perform Illicit Activities

These exploits have enabled attackers to access terminal event logs and scan for instances where customers have scanned private keys at ATMs previously logged by older ATM software versions.

There has been an increase in the number of attackers able to perform illicit activities; therefore, General Bytes urges all customers to take immediate action to protect their funds and personal information on March 18.

Despite the fact that the company has not revealed how much the hacker has stolen cryptocurrency, it has released details of 41 wallet addresses that were used as part of the attack.

Find Out If Your Server Was Breached

To do so, you have followed the points that we have mentioned below:-

• Check your master.log and admin.log files and see if there are any time gaps in which nothing was logged from your server during this period.
• Generally, viewing the events for one day at a time is only possible.
• Ensure there is no suspicious content in /batm/app/admin/standalone/deployments/root@batmserver:/batm# ls -la /batm/app/admin/standalone/deployments/ total 148352.
• Even though you may not have any of these files on your computer’s file system, it doesn’t necessarily mean that you haven’t been hacked.
• An empty admin.log and master.log file is the primary indication of a problem.

Upgrade Servers Immediately

The CAS administrator should examine their “master.log” and “admin.log” log files for any suspicious gaps in time caused by the attacker deleting log entries to conceal their actions.

According to the General Byte report, malicious Java applications uploaded to the desktop would appear as random-named .war and .war.deployed files in /batm/app/admin/standalone/deployments/.

Each victim will likely have a different file name, and here below in the image can see them:-

The company’s researchers have therefore recommended that as soon as possible, users should update their servers or else they could face problems in the future.

Steps for Standalone Operators:

• You should stop the admin and master service and wait until the patch release is available.
• If your BATM server has been compromised, it is strongly recommended that you reinstall it, including the operating system, to ensure that the attacker leaves no code on your server.
• Security analysts recommended updating your server to the latest version, 20230120.44.
• For your CAS server admin interface to function correctly, you will need to allow TCP ports 7777 or 443 to be used by the server firewall.
• Ensure all your terminals in the CAS interface are deactivated so that no machines are sold.
• If there are any terminals that the attacker added, you should remove them.

Steps for ALL Operators:

• Delete any unrecognized users from your CAS, their permissions, and groups.
• As a precaution, check every CAS user’s email address and reset all user passwords (except your own) as soon as possible.
• To ensure that your crypto addresses and strategies are correct, you should review your Crypto Settings and run the Crypto Settings tests.
• Remove any terminals that are unrecognized or unpaired from the list.
• Activate the terminals that have been verified.
• Set up a VPN connection between the terminals to ensure secure communication.

Crypto addresses used

Here below, we have mentioned some of the crypto addresses that have been used in this attack by the threat actors:-

• ADA =  0x7A0E7D41658F409C11288E0a2988406f2186A474
• AQUA =  0x7A0E7D41658F409C11288E0a2988406f2186A474
• ANT =  0xD5173d215551538cebE79C4e40A4C54Fb751DD83
• BAT =  0x3d1451bF188511ea3e1CFdf45288fD53B16FE17E
• BCH =  0xD5173d215551538cebE79C4e40A4C54Fb751DD83
• BTBS =  0xD5173d215551538cebE79C4e40A4C54Fb751DD83
• BTC =  bc1qfa8pryacrjuzp9287zc2ufz5n0hdthff0av440
• BTX =  0x7A0E7D41658F409C11288E0a2988406f2186A474
• BUSD =  0x7A0E7D41658F409C11288E0a2988406f2186A474
• DAI =  0x7A0E7D41658F409C11288E0a2988406f2186A474
• BIZZ =  0xAE0aC391b8361B5Fc1aF657703779886a7898497
• DASH =  Xi4GstuqKFTRo3WB6gFpPnB6jiWtLSHJDj
• DGB =  dgb1qgea3hzw62zl6req06k708swtv5xc53sdp85jzn
• DOGE =  DN1bKoV7BbuYBeysnYNT8EFj8BGTSeyLCc
• ETC =  0x8A9344be2BA8DeAA2862EAb0Aab20C7cC36c432a
• ETH =  0xD5173d215551538cebE79C4e40A4C54Fb751DD83
• EGLD =  erd1w7n54rlzrxe6jl8xpmh0de4g9jhc028zeppsjdme9g45gsnhw53s4vhgsg
• EURS =  0xAE0aC391b8361B5Fc1aF657703779886a7898497
• FTO =  0xAE0aC391b8361B5Fc1aF657703779886a7898497
• GRS =  grs1qhckdwm8dqt8pfdu2d6e649qs5jrqn6sslzlyhw
• GQ =  0xAE0aC391b8361B5Fc1aF657703779886a7898497
• HATCH =  0xAE0aC391b8361B5Fc1aF657703779886a7898497
• HT =  0xAE0aC391b8361B5Fc1aF657703779886a7898497
• JOB =  0xAE0aC391b8361B5Fc1aF657703779886a7898497
• LMY =  0xAE0aC391b8361B5Fc1aF657703779886a7898497
• LTC =  ltc1qvd5usunrpgsynyeey9n46xucy7emk62ycljl0t
• MKR =  0xAE0aC391b8361B5Fc1aF657703779886a7898497
• NANO =  nano_1rrqx4esqbfuci7whzkzms7u4kib8ojcnkaokceh9fbr79sa4a36pmqgnxd4
• NXT =  0xAE0aC391b8361B5Fc1aF657703779886a7898497
• PAXG =  0xAE0aC391b8361B5Fc1aF657703779886a7898497
• REP =  0xAE0aC391b8361B5Fc1aF657703779886a7898497
• SHIB =  0xAE0aC391b8361B5Fc1aF657703779886a7898497
• TRX =  TDjFvfcysNGaxnX7pzpvC6xfSmCC5u8qgr
• USDS =  0xAE0aC391b8361B5Fc1aF657703779886a7898497
• USDC =  0xAE0aC391b8361B5Fc1aF657703779886a7898497
• USDT =  0xAE0aC391b8361B5Fc1aF657703779886a7898497
• USDTTRON =  TDjFvfcysNGaxnX7pzpvC6xfSmCC5u8qgr
• VIA =  via1quynq6wweqz0pk9wygv82qg83tk5zu47yqweht5
• XRP =  rDkoXVLChaDvc8SHFoTNZEDzcbtFNwF977
• ZPAE =  0xAE0aC391b8361B5Fc1aF657703779886a7898497
• XMR =  426FQDKF9rbHZLbNgisRKU2m2CVfnoNpFL7ZsAoDQBHP1eRDUKaj64zDtnFychJqSg1W6eskoFqdkG4gX8BSvWvkQr8oxVc

Building Your Malware Defense Strategy – Download Free E-Book

Also Read: