Hackers Drain Bitcoin ATMs of $1.5 Million by Exploiting 0-Day Flaw

turp182 shares a report from Ars Technica: Hackers siphoned millions of dollars in digital coins from cryptocurrency ATMs by exploiting a zero-day vulnerability, leaving customers on the hook for losses that cannot be reversed, the kiosk maker has revealed. The robbery targeted ATMs sold by General Bytes, a company with multiple locations around the world. These BATMs, short for bitcoin ATMs, can be set up in convenience stores and other businesses to allow people to exchange bitcoins for other currencies and vice versa. Customers connect the BATMs to a crypto application server (CAS) that they can manage or, until now, that General Bytes could manage for them. For reasons that are not entirely clear, the BATMs offer an option that allows customers to upload videos from their terminal to the CAS using a mechanism known as the master server interface.

Over the weekend, General Bytes revealed that more than $1.5 million worth of bitcoin had been drained from CASs operated by the company and by customers. To complete the heist, an unknown threat actor exploited a previously unknown vulnerability that allowed it to use this interface to upload and run a malicious Java application. The actor then drained various hot wallets of around 56 BTC, worth approximately $1.5 million. General Bytes patched the vulnerability 15 hours after learning about it, but due to the way cryptocurrencies work, the losses were irreversible. […] When the malicious application was run on a server, the threat actor was able to (1) access the database, (2) read and decrypt encrypted API keys needed to access funds in hot wallets and exchanges, (3 ) transfer funds from hot wallets to a wallet controlled by the threat actor, (4) download username and password hashes and disable 2FA, and (5) access terminal event logs and scan for instances where customers scanned private keys at the ATM. The sensitive data in step 5 was logged by older versions of ATM software.

Going forward, said this weekend’s post, General Bytes will no longer manage CASs on behalf of customers. This means that terminal owners must manage the servers themselves. The company is also collecting data from customers to validate any losses related to the hack, conduct an internal investigation and work with authorities in an effort to identify the threat actor. General Bytes said the company has received “multiple security audits since 2021,” and none of them discovered the exploited vulnerability. The company is now in the process of seeking further assistance to secure its BATMs.

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *