General Bytes acknowledged and admitted a security incident that impacted its systems between March 17 and 18. The bitcoin ATM maker company published an advisory stating that a scammer had remotely added their own java application by exploiting a zero-day vulnerability.
The scammers stole nearly 56 Bitcoin, 21 Ethereum, and 1,219 Litecoin in the General Bytes hacking incident.
“On March 17-18th, 2023, GENERAL BYTES experienced a security incident. We released a statement urging customers to take immediate action to protect their personal information,” read a tweet by General Bytes.
On March 17-18th, 2023, GENERAL BYTES experienced a security incident.
We released a statement urging customers to take immediate action to protect their personal information.
We urge all our customers to take immediate action to protect their funds and https://t.co/fajc61lcwR…
— GENERAL BYTES (@generalbytes) March 18, 2023
What happened in the General Bytes hacking
The scammers were able to remotely upload their own java application through a master service interface, which is used by terminals to upload and run videos via batm user privileges. Because of this, hackers were able to do the following:
- Access and download the database with usernames and password hashes
- Turn off 2-factor authentication
- Access terminal event logs
- Check instances of users scanning private keys at the ATM
- Decrypt API keys which are used to access funds in hot wallets
- Send funds
How the General Bytes hacking took place
Upon identifying the vulnerability in the master service interface of Bitcoin ATMs, which is used to upload videos to servers, hackers scanned the Digital Ocean cloud hosting IP address.
They ran CAS services on ports 7741, GB Cloud service, and GB ATM operators.
The General Bytes hacking was concluded by uploading the hacker’s own application to the admin interface server.
The hackers stole 56.283 BTC, which is worth $1.5 million, 21.823 Ethereum, worth $36,500, and 1,219.183 LTC, worth $96,500.
The following IP addresses of hackers were traced:
- 204.4.202
- 104.237.25
- 104.237.25
Two patches were released by the company with 20221118.48 and 20230120.44.
Aftermath of the General Bytes hacking
Users may find only one-day events on master.log as the hacker deleted logs from the master.log and admin.log to hide their loot.
Users have been urged to regenerate new API keys and to invalidate older ones as it cannot be determined whether their hot wallets were not hacked.
Moreover, in its advisory, General Bytes said that it will be shuttering Cloud services because “It is theoretically (and practically) impossible to secure a system granting access to multiple operators at the same time where some of them are bad actors.”
Users are urged not to access their GB ATM server before implementing the solutions and patches mentioned in the advisory. The official advisory also listed essential steps that users need to take before accessing their accounts.
Similar tactics used in previous General Bytes hacking
In August, 2022, General Bytes was hacked, wherein hackers used a malwareless attack, which did not require infecting systems with a virus.
In this General Bytes cyberattack, hackers exploited a zero-day vulnerability in its ATM server and stole cryptocurrency from customers’ accounts.
The vulnerability in the crypto application server (CAS) interface was used to remotely create an admin user named ‘gb.’ They altered the buy and sell settings to channel the incoming cryptocurrency to its own account.