According to the firm, “the attacker searched the Digital Ocean cloud hosting IP address space and discovered operating CAS services on ports 7741, including the General Bytes Cloud service and other GB ATM operators running their servers on Digital Ocean.”
The attackers gained access to the database as well as API keys for accessing money in hot wallets and exchanges as a result of the code execution. The attacker leveraged the master service interface to remotely upload a Java program, gaining access to BATM user rights, the database, and API keys required to access money in hot wallets and exchanges.
As a consequence, the hacker gained access to users, password hashes, turned off two-factor verification, and sent funds from hot wallets.
The hacker was successful in stealing 56.28 bitcoin, worth around $1.5 million, as well as liquidating other cryptocurrencies including as ETH, USDT, BUSD, ADA, DAI, DOGE, SHIB, and TRX. The stolen assets have not been moved from the bitcoin address since March 18, and certain digital currencies have been transferred to other destinations, including a decentralized trading platform.
Additionally, the attackers got the “ability to access terminal event logs and search for each occurrence when users scanned private key at the ATM,” information that previous versions of ATM software recorded.
“On March 18, we advise all of our clients to take quick steps to safeguard their finances and personal information,” General Bytes tweeted.
The wallet addresses and three IP addresses used by the attacker in the breach have been revealed by the firm. Yet, according to certain sources, the company’s complete node is safe enough to prevent unwanted access to cash.
The business released information on the actions clients should take to safeguard their GB ATM servers (CAS) in a security advisory documenting the event, emphasizing that even those who were not affected by the incident should adopt the suggested security measures.
“Please keep your CAS protected by a firewall and a VPN.” Terminals should also use VPN to connect to CAS. With a VPN/Firewall, attackers from the open internet are unable to access and exploit your server. If your server was compromised, please reinstall the whole server, including the operating system,” the business advises.
The crypto ATM manufacturer issued a CAS security patch and advised consumers to consider all user passwords and API keys to exchanges and hot wallets as compromised and to replace them.
“We don’t have the final statistics yet,” General Bytes said. We’re currently gathering information from operators. We are still dealing with damage of roughly 56 BTC as of today.
Information security specialist, currently working as risk infrastructure specialist & investigator.
15 years of experience in risk and control process, security audit support, business continuity design and support, workgroup management and information security standards.