General Bytes, a major producer of cryptocurrency automated teller machines (ATMs), was recently hit by a security breach that resulted in the theft of over $1.5 million worth of Bitcoin.
How the Attack Happened
According to General Bytes, the attackers discovered operating CAS services on ports 7741 in the Digital Ocean cloud hosting IP address space. They gained access to the database and API keys for accessing money in hot wallets and exchanges by executing code through the master service interface. This enabled them to upload a Java program remotely, giving them access to BATM user rights, the database, and API keys necessary to access money in hot wallets and exchanges.
As a result, the attackers gained access to users, password hashes, turned off two-factor verification, and sent funds from hot wallets. They successfully stole 56.28 bitcoins, worth approximately $1.5 million, as well as other cryptocurrencies including ETH, USDT, BUSD, ADA, DAI, DOGE, SHIB, and TRX.
Although the stolen assets have not been moved from the bitcoin address since March 18, certain digital currencies have been transferred to other destinations, including a decentralized trading platform.
Cryptocurrencies Stolen and Current Status
General Bytes has revealed the wallet addresses and three IP addresses used by the attacker in the breach. However, some sources suggest that the company’s complete node is secure enough to prevent unwanted access to cash. The business has released a security advisory outlining the measures that clients should take to protect their GB ATM servers (CAS). It emphasized that even those who were not affected by the incident should adopt the suggested security measures.
Client Actions and Security Measures
The company advises clients to keep their CAS protected by a firewall and a VPN, and for terminals to use a VPN to connect to CAS. With a VPN/firewall, attackers from the open internet are unable to access and exploit the server. If a server is compromised, General Bytes advises clients to reinstall the entire server, including the operating system.
The crypto ATM manufacturer has issued a CAS security patch and advised consumers to consider all user passwords and API keys to exchanges and hot wallets as compromised and to replace them.
“We don’t have the final statistics yet,” General Bytes said. “We’re currently gathering information from operators. We are still dealing with damage of roughly 56 BTC as of today.”
Dimitris is an Information Technology and Cybersecurity professional with more than 20 years of experience in designing, building and maintaining efficient and secure IT infrastructures.
Among others, he is a certified: CISSP, CISA, CISM, ITIL, COBIT and PRINCE2, but his wide set of knowledge and technical management capabilities go beyond these certifications. He likes acquiring new skills on penetration testing, cloud technologies, virtualization, network security, IoT and many more.