Bitcoin ATM customers hacked by video upload that was actually an app – Naked Security

There are many military puns in the history of the operating system.

As you know, Unix has a whole range of personnel known as Main numberwhich organizes the battalions of devices such as disk drives, keyboards, and web cameras in your system.

Microsoft once struggled with the apparently incompetent General errorwhich was regularly detected trying to read your DOS disks and failing.

Linux sometimes has problems with Colonel Panicwhose appearance is usually followed by lost data, potentially damaged file systems and an urgent need to turn off the power and restart the computer.

And a Czech cryptocurrency company doesn’t seem to get the kind of credibility you’d reasonably expect from a personality named General bytes.

Actual, General bytes is the name of the company itself, a business that is unfortunately no stranger to unwanted intrusions and unauthorized access to cryptocurrency funds.

Once is unhappiness

In August 2022, we wrote how General Bytes had fallen victim to a server-side flaw where remote attackers could trick a customer’s ATM server into giving them access to the “set up a whole new system” configuration pages.

If you’ve ever restored an iPhone or an Android device, you’ll know that the person who performs the original setup ends up in control of the device, especially since they get to set up the master user and choose a brand new lock code or passphrase during the process.

However, you will also know that modern mobile phones forcefully erase the old contents of the device, including all the old user’s data, before installing and reconfiguring the operating system, apps and system settings.

In other words, you can start over, but you can’t pick up where the last user left off, otherwise you can use a system reflash (or a DFU, short for device firmware upgradeas Apple calls it) to get to the previous owner’s files.

However, in the General Bytes ATM server, the unauthorized access path that got the attackers into the “start from scratch” setup screens did not neutralize any data on the infiltrated device…

…so that the bad guys could abuse the server’s “create a new administrative account” process to create an additional admin user on an existing system.

Twice looks like carelessness

Last time, General Bytes suffered what you might call a non-malware attack, where criminals didn’t implant any malicious code.

The 2022 attack was orchestrated simply through malicious configuration changes, with the underlying operating system and server software untouched.

This time, the attackers used a more conventional approach that relied on an implant: malware, or malware in short, which was uploaded via a security loophole and then used as what you might call an “alternative control panel”.

In plain English: the bad guys found a bug that allowed them to install a backdoor so they could get in afterwards without permission.

As General Bytes put it:

The attacker was able to upload his own Java application remotely via the main service interface used by terminals to upload videos and run it using batm user privileges.

We’re not sure why an ATM would need an external photo and video upload option, as if it were some sort of blog site or social media service…

…but it appears that the Coin ATM Server system includes just such a feature, presumably so that ads and other special offers can be promoted directly to customers visiting the ATMs.

Uploads that are not what they seem

Unfortunately, any server that allows uploads, even if they come from a trusted (or at least an authenticated source), needs to be careful about several things:

  • Uploads must be written into a staging area where they cannot be immediately read back from the outside. This helps ensure that untrusted users cannot turn your server into a temporary delivery system for unauthorized or inappropriate content via a URL that looks legitimate because it has your branding.
  • Uploads must be checked to ensure they conform to the file types allowed. This helps stop rogue users from hijacking your upload area by filling it with scripts or programs that may later end up being executed on the server instead of just being served to a subsequent visitor.
  • Uploads must be stored with the most restrictive access permissions possible, so that booby-trapped or corrupt files cannot be inadvertently executed or even accessed from more secure parts of the system.

It appears that General Bytes did not take these precautions, with the result that the attackers were able to perform a wide range of privacy and cryptocurrency ripping.

The malicious activity apparently included: reading and decrypting authentication codes used to access funds in hot wallets and exchanges; send funds from hot wallets; downloading username and password hashes; retrieval of the customer’s cryptographic keys; turn off 2FA; and access to event logs.

What to do?

  • If you run General Bytes Coin ATM systems, read the company’s breach report, which tells you how to look for so-called IoCs (indicators of compromise), and what to do while you wait for patches to be published.

Note that the company has confirmed that both standalone Coin ATM servers and its own cloud-based systems (where you pay General Bytes a 0.5% fee on all transactions in exchange for them running your servers for you) were affected.

Interestingly, General Bytes reports that it will be “closing the cloud service”and insists on it “you must install your own standalone server”. (The report does not give a deadline, but the company already offers active migration support.)

In a turnaround that will take the company in the opposite direction of most other modern service-oriented companies, General Bytes insists that “it is theoretically (and practically) impossible to secure a system that allows access to several operators at the same time where some of them are bad actors.”

  • If you have recently used a General Bytes ATM, contact your cryptocurrency exchange or exchanges for advice on what to do and if any of your funds are at risk.
  • If you are a programmer maintaining a web-based service, whether self- or cloud-hosted, read and follow our advice above about uploads and upload directories.
  • If you are a cryptocurrency enthusiast, keep as little of your cryptocurrency holdings as you can in so-called hot wallets.

Hot wallets are essentially funds that are ready to trade at a moment’s notice (perhaps automatically), and usually require you to either hand over your own cryptographic keys to someone else, or temporarily transfer funds to one or more of their wallets.


You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *