Hackers drained millions of dollars in digital coins from cryptocurrency ATMs by exploiting a zero-day vulnerability, leaving customers on the hook for losses that can’t be reversed, the kiosk manufacturer has revealed.
The heist targeted ATMs sold by General Bytes, a company with multiple locations throughout the world. These BATMs, short for bitcoin ATMs, can be set up in convenience stores and other businesses to allow people to exchange bitcoin for other currencies and vice versa. Customers connect the BATMs to a crypto application server (CAS) that they can manage or, until now, that General Bytes could manage for them. For reasons that aren’t entirely clear, the BATMs offer an option that allows customers to upload videos from the terminal to the CAS using a mechanism known as the master server interface.
Going, going, gone
Over the weekend, General Bytes revealed that more than $1.5 million worth of bitcoin had been drained from CASes operated by the company and by customers. To pull off the heist, an unknown threat actor exploited a previously unknown vulnerability that allowed it to use this interface to upload and execute a malicious Java application. The actor then drained various hot wallets of about 56 BTC, worth roughly $1.5 million. General Bytes patched the vulnerability 15 hours after learning of it, but due to the way cryptocurrencies work, the losses were unrecoverable.
General Bytes officials wrote:
The night of 17-18 March was the most challenging time for us and some of our clients. The entire team has been working around the clock to collect all data regarding the security breach and is continuously working to resolve all cases to help clients back online and continue to operate their ATMs as soon as possible. We apologize for what happened and will review all our security procedures and are currently doing everything we can to keep our affected customers afloat.
The post said the flow of the attack was:
1. The attacker identified a security vulnerability in the master service interface the BATMs use to upload videos to the CAS.
2. The attacker scanned the IP address space managed by cloud host DigitalOcean Ocean to identify running CAS services on ports 7741, including the General Bytes Cloud service and other BATM operators running their servers on Digital Ocean.
3. Exploiting the vulnerability, the attacker uploaded the Java application directly to the application server used by the admin interface. The application server was, by default, configured to start applications in its deployment folder.
Once the malicious application executed on a server, the threat actor was able to (1) access the database, (2) read and decrypt encoded API keys needed to access funds in hot wallets and exchanges, (3) transfer funds from hot wallets to a wallet controlled by the threat actor, (4) download user names and password hashes and turn off 2FA, and (5) access terminal event logs and scan for instances where customers scanned private keys at the ATM. The sensitive data in step 5 had been logged by older versions of ATM software.
I'm sure things will be fine with individual ATM owners needing to run their own crypto servers. What could possibly go wrong there?