A prominent provider of Bitcoin ATMs has issued a call to action for its clients to promptly upgrade their systems following a recent security breach. General Bytes disclosed that hackers took advantage of a zero-day vulnerability in its software over the weekend to pilfer funds.
According to General Bytes, the flaw was discovered in the master service interface utilized by Bitcoin ATMs for uploading videos to the server. The cybercriminals targeted the Digital Ocean cloud hosting IP address space, identifying running Crypto Application Server (CAS) services on ports 7741, including the General Bytes Cloud service and servers operated by other GB ATM operators on Digital Ocean.
By exploiting this security loophole, the attackers were able to upload their own application to the application server utilized by the admin interface. This allowed them to access the database, read and decrypt API keys for accessing funds in hot wallets and exchanges, transfer funds from hot wallets, retrieve usernames and password hashes, disable two-factor authentication, and view terminal event logs to identify instances where customers scanned private keys at the ATM.
In addition to breaching other operators’ standalone servers, the hackers also infiltrated General Bytes’ cloud service. The company urged all ATM operators to promptly update their CAS software and assume that all CAS passwords and API keys have been compromised. They recommended resetting passwords and generating new API keys or invalidating the existing ones.
As a precautionary measure, General Bytes announced the closure of its cloud service in response to the attack. They advised ATM operators to transition to using their own standalone servers, with support available to assist in migrating data from the GB Cloud to a standalone server. The company emphasized the importance of securing CAS behind a firewall and VPN, ensuring terminals connect to CAS via VPN, and conducting a complete server reinstallation if a breach is suspected.
Despite conducting multiple security audits since 2021, General Bytes admitted to missing the zero-day bug that led to the recent breach. The company emphasized the need for vigilance and proactive security measures to safeguard against future threats in the cryptocurrency ATM industry.
For more insights on cryptocurrency ATMs, you can also read about the Financial Conduct Authority’s stance on the legality of crypto ATMs in the UK.