Hackers siphoned millions of dollars worth of digital coins from cryptocurrency ATMs by exploiting a zero-day vulnerability, leaving customers on the hook for unrecoverable losses, the kiosk maker said.
The robbery involved ATMs sold by General Bytes, a company with several offices around the world. These BATMs, short for bitcoin ATMs, can be installed in stores and other businesses to allow people to exchange bitcoins for other currencies and vice versa. Clients connect BATM to cryptographic application server (CAS) that they can manage, or, until now, General Bytes could manage for them. For reasons that are not entirely clear, BATMs offer an option that allows clients to upload video from a terminal to a CAS using a mechanism known as the master server interface.
I’m going, I’m going, I’m gone
On the weekend General Bytes disclosed that more than $1.5 million worth of bitcoins were withdrawn from CAS operated by the company and clients. To carry out the robbery, an unknown attacker exploited a previously unknown vulnerability that allowed him to use this interface to download and execute a malicious Java application. The actor then emptied various hot wallets of about 56 BTC worth about $1.5 million. General Bytes fixed the vulnerability 15 hours after it became known, but due to the way cryptocurrencies work, the losses were irreparable.
General Bytes officials wrote:
The night of March 17-18 was the most difficult time for us and some of our clients. The entire team is working around the clock to collect all security breach data and are constantly working to resolve all incidents to help customers get back online and continue working with their ATMs as soon as possible. We apologize for what happened, will review all of our security procedures and are currently doing everything we can to keep our affected customers afloat.
The report states that the course of the attack was as follows:
1. An attacker discovered a security vulnerability in the main service interface that BATMs use to upload videos to CAS.
2. The attacker scanned the IP address space managed by the DigitalOcean Ocean cloud host to identify running CAS services on ports 7741, including the General Bytes Cloud service and other BATM operators using their servers in Digital Ocean.
3. Using the vulnerability, an attacker uploaded a Java application directly to the application server used by the administrative interface. The application server is configured by default to run applications in its deployment folder.
After running the malicious application on the server, the attacker was able to (1) access the database, (2) read and decrypt the encrypted API keys needed to access funds in hot wallets and exchanges, (3) transfer funds from hot wallets to the wallet, controlled by an attacker, (4) downloading username and password hashes and disabling 2FA, and (5) accessing terminal event logs and looking for instances where customers scanned private keys at an ATM. The sensitive data in step 5 was registered by older versions of the ATM software.
BATM clients are now on their own
Going forward, General Bytes will no longer operate CAS on behalf of customers, in a release this weekend. This means that terminal owners will have to manage the servers themselves. The company is also collecting data from customers to verify all hack-related losses, conducting internal investigations, and cooperating with authorities in an attempt to identify the perpetrator.
General Bytes said the company has gone through “several security reviews” since 2021, and none of them found a exploited vulnerability. The company is currently seeking additional assistance in securing its BATMs.
The incident highlights the risk of storing cryptocurrencies in wallets available online, commonly referred to as hot wallets. Over the years, attackers who exploit various vulnerabilities in cryptocurrency infrastructures, or trick wallet owners into providing the encryption keys needed to withdraw funds, have been illegally draining untold amounts of digital coins from hot wallets.
Security practitioners have long advised people to store funds in cold wallets, which means they are not directly accessible from the internet. Unfortunately, BATMs and other types of cryptocurrency ATMs generally cannot follow this best practice because terminals must be connected to hot wallets in order for them to make real-time transactions. This means that BATM is likely to remain a prime target for hackers.