Prague, Czech Republic, Mar 20, 2023 -- The GENERAL BYTES Cloud service and other standalone servers run by operators suffered security breaches. We noticed the first signs of a break-in on Friday night, right after midnight on Saturday, 18 March (UTC+1). We notified customers to shut down their CAS servers as soon as possible. The attacker could upload his java application remotely via the master service interface used by terminals to upload videos and run it using BATM user privileges. As a result, the attacker could send funds from hot wallets, and at least 56 Bitcoins were stolen before we could release the patch. The patch was released within 15 hours.
Here is what happened:
1. The attacker identified a security vulnerability in the master service interface used by Bitcoin ATMs to upload videos to the server.
2. The attacker scanned the Digital Ocean cloud hosting IP address space and identified running CAS services on ports 7741, including the General Bytes Cloud service and other GB ATM operators running their servers on Digital Ocean (our recommended cloud hosting provider).
3. Using this security vulnerability, the attacker uploaded his application directly to the application server used by the admin interface. The application server was, by default, configured to start applications in its deployment folder.
Note: We’ve concluded multiple security audits since 2021, and none of them identified this vulnerability.
This resulted in the following:
- Ability to access the database.
- Ability to read and decrypt API keys to access funds in hot wallets and exchanges.
- Send funds from hot wallets.
- Download user names and their password hashes and turn off 2FA.
- Ability to access terminal event logs and scan for any instance where customers scanned private keys at the ATM. Older versions of ATM software were logging this information.
What you should know:
- GENERAL BYTES is closing its cloud service. From now on, all of our customers will manage their ATMs using their stand-alone servers; We have already provided customers with instructions and guidance on migration, and we hope they understand it's better for all of us;
- We are collecting data from our clients to validate all the losses; along with internal investigation, we will cooperate with authorities to do everything we can to identify the perpetrator.;
- We will continuously update the security bulletin as information arises. (https://generalbytes.atlassian.net/wiki/spaces/ESD/pages/2885222430/Security+Incident+March+17-18th+2023)
You can contact us at firstname.lastname@example.org
For security companies and experts:
Even though we have made multiple security audits since 2021, this vulnerability has been undiscovered in our product since version 20210401.
We would like to conduct asap multiple independent security audits of our product as we see now the importance of having various audits by several companies.
If you think your company can help us to make our product safer, please contact us at email@example.com
NOTE: Security review will require your presence at our Prague offices as we insist on performing security reviews with real physical machines.