Ongoing - Hackers manage to steal crypto from customers of General Bytes ATMs

[DdmrDdmr]

CoinATMRadar makes it 8.827 bitcoin ATMs installed by the producer General Bytes, second largest worldwide …

According to reports and General Bytes themselves (see referenced links below), hackers have managed to steal crypto from bitcoin ATM users by exploiting a zero-day vulnerability present in General Bytes Servers.

The second link below (18/08/2022) states that:

Description: The attacker was able to create an admin user remotely via CAS administrative interface via a URL call on the page that is used for the default installation on the server and creating the first administration user. This vulnerability has been present in CAS software since version 20201208.

This means that hackers were able to create an admin account on some of the CAS (Crypto Application Server), and then modify the parameters related to the addresses on the buy and sell configuration sections, thus diverting crypto TX funds to themselves. I presume each corporation that has one or more of GB ATMs runs their own instance of a CAS.

GB asks for GB ATMs to be non-operational until a set of two server patches have been applied (20220531.38 and 20220725.22.). Furthermore, they ask operators to check their firewall settings to allow access only from known IPs (i.e. offices, homes and ATMs I presume).

In addition, apparently:

1.   The attacker didn't gain access to the host operation system.
2.   The attacker didn't gain access to the host file system.
3.   The attacker didn't gain access to the database.
4.   The attacker didn't gain access to any passwords, password hashes, salts, private keys or API keys.

BleepingComputer’s article references a source that seemingly indicates that there are still 18 vulnerable CAS, essentially in Canada. Nevertheless, the link to the source is no longer rendering results, and I wouldn’t be sure that the info is not local and focusing on Canada alone to begin with. Other than that, there is no info on the extent.


For bitcoin ATM users, it would be a seemingly good idea to check with the support of those ATMs corporations hosting GB bitcoin ATMs whether they’ve applied the said patches, before using GB ATMs is the coming days (supposing that is the definite solution to the exploit).

Anyone had any issued of the kind with GB ATMs for the last few days (or them being off-line presumably due to these events)?

See:
https://www.bleepingcomputer.com/news/security/hackers-steal-crypto-from-bitcoin-atms-by-exploiting-zero-day-bug/
https://generalbytes.atlassian.net/wiki/spaces/ESD/pages/2785509377/Security+Incident+August+18th+2022

[1714660609]

1714660609

[1714660609]

1714660609

[1714660609]

1714660609

[DaveF]

Hmmm...

https://bitcointalk.org/index.php?topic=5363819

From the GB page about the current issue:

Note: We concluded multiple security audits since 2020, and none of them identified this vulnerability. Attack came 3rd day after we publicly announced Help Ukraine feature on ATMs.

From Kraken:

BATM ATMs are managed using a “Crypto Application Server” – a management software that can be hosted by the operator, or licensed as SaaS.

Our team found the CAS does not implement any Cross-Site Request Forgery protections, making it possible for an attacker to generate authenticated requests to the CAS. While most endpoints are somewhat protected by very difficult to guess IDs, we were able to identify multiple CSRF vectors that can successfully compromise the CAS.

So I guess the question is exactly how many vulnerabilities are there?
Yes, I know it's impossible to know but they do seem to have had a bunch.

The question is will GB help the operators pay the customers back for lost funds?

-Dave

[franky1]

we can word it another way

because GB creates the privatekeys of addresses GB funds. which they then hands keys to customers..
the funds are actually still GB as it was always GB keys used.
because its not a customers own privately generated privkey, the customer should technically not be classed as the victim.
and instead treated as:
'customer have yet to receive funds they can withdraw to their own key'
'customer withdrawals to personal addresses delayed/halted due to hack of GB funds'
the hack in this topic is where GB lost coin, but wants to suggest users lost it by suggesting the GB wont pay users out again.
instead they suggest that customers have lost and customers have to suffer the loss

GB should fix the loophole/backdoor.
(EG if a customer just provides a public address for a ATM to pay. and then GB pays that address.. customers can SAFELY receive funds without a hacker ever getting privkey access to move funds elsewhere. because GB wont ever have the privkey for a hacker to then action on)

and once fixing the backdoor. then pay customers what the customer deserve to be paid.

no service of any kind. should be offering a service to pay btc to a customer where that payment is a keypair the service still has control of.
a true withdrawal should be asking for a customer to provide a customers personal address. without the service ever knowing the private key

[DaveF]

...

Actually the ATM operator can run the software and GB is never involved at all. They do provide the back end software, but so does every BATM operator.

I used to run the back end for client and everything was was internal to them.

Unless something has changed since early 2019 and it does not look like it at a quick glance.

-Dave

[franky1]

"general bytes servers"

hmm doesnt sound much like hackers went to each individual ATM and then sussed out customers keys..

sounds more like the operator done key control or GB did. so its operator or GB fault and loss not the customer.

ATM's should never have private keys and should never hadn customers keys as that means more then just the customer has the keys..

a good ATM should only ask for a QR code of a public address the customer wants funds sent to.

i hope all ATM's learn from this and implement better security to not require recipient keys nor required to create recipient keys

[Sandra_hakeem]

i hope all ATM's learn from this and implement better security to not require recipient keys nor required to create recipient keys

Cyber and ATM theft has always been right from time and I realize the more you keep sealing the loop holes, the more these  dudes gets everyone traumatized; this ain't gonna stop but can definitely be controlled...I don't understand how archaic the program runs to the point that the GB serves as theft preference .
It is not nice to hear that people are loosing Funds; it makes the insurance made to engulf the interest of the masses for utmost security run on the contrary. So maybe it's the bank's fault for fixing wrongly programmed synchronization, I'd say it should be fixed

Sandra ❣️

[dansus021]

well im seeing at least 3-5 hack news that happen in crypto in a month from rugpull hacking bridge smart contract and etc the blockchain Is proofable that safe but the system we are using to connect with the chain seems not safe at all

but we must stand up because with hacker showed up meaning we can make even better security to platform

[DdmrDdmr]

Minor information update from today concerning this incident:

22.8.2022 15:00 - Incident was reported to Czech Police. Total damage caused to ATM operators based on their feedback is 16 000 USD.

The Czech Republic is where the company, General Bytes, hosts its headquarters, so the above initial figure is not going to be specific to the country, but likely and aggregate sum across multiple countries, without and further details on the geographical distribution of the (so far known to them) affected operators.

[Hydrogen]

Historically.

There have always been rumors of ATMs being designed and manufactured by shell companies with ties to organized crime. There have been a number of articles and journalistic pieces published on this topic that I've seen over the years. One way credit card numbers are stolen could be through compromised ATMs which scan the numbers.

In Kevin Mitnick's book The Art of Deception it was claimed more than 80% of electronic attacks are inside jobs. Current employees or former disgruntled employees are typically the number #1 suspects.

There have been a large number of similar hacks over the past 10 years. Enough for it to be called a trend or pattern. If you put the pieces together, what do you get? It would appear that its increasingly more important to vet the people running the operation today. Moreso than it was in past years.

[NotATether]

Minor information update from today concerning this incident:

22.8.2022 15:00 - Incident was reported to Czech Police. Total damage caused to ATM operators based on their feedback is 16 000 USD.

Only $16,000 stolen? That means either these hackers must be very cheap (like its some teenager getting cash for a new PC), or General Bytes ATMs have almost no liquidity in them.

[DdmrDdmr]

<…>

Bear in mind though that the amount stolen is really in crypto (the USD amount is a counter value), having obtained it by changing crypto address configuration in the servers that are run by the different operators. General Bytes sells/provides the bitcoin ATM machines, but each operator (company) then has to set-up either their server solution either on the GB Cloud or as a standalone server, in order to operate the operator’s ATMs.

The incident is on-going, and we really have no progress report (and might not get to see one) on the number of installations that have patched their servers and reviewed their firewall settings. That still leaves time for slow operators, potentially with lesser technical personnel due to summer holidays, to still leave a window of time for these attacks to still take place. Presumably, those using a Cloud solution will certainly be patched, but there’s no telling what is going on with the stand-alone CAS servers.

[DaveF]

Minor information update from today concerning this incident:

22.8.2022 15:00 - Incident was reported to Czech Police. Total damage caused to ATM operators based on their feedback is 16 000 USD.

Only $16,000 stolen? That means either these hackers must be very cheap (like its some teenager getting cash for a new PC), or General Bytes ATMs have almost no liquidity in them.

Going with very little liquidity. There really is no reason to have much sitting in there for most people. AND if GB sent out emails and texts although servers may not have been updated / patched they may have just taken them offline or moved the funds ASAP.

I wonder if we are going to see a lot of cheap BATMs on the market soon.

-Dave

[DdmrDdmr]

A new incident has affected General Bytes bitcoin ATMs these past couple of days. On this occasion, hackers managed to make away with around 1,5M $ in crypto. In order to do so, they managed to upload their own java software using a video uploading interface to the system, and execute it using the atm’s privileges.

The malware has so far allowed the hackers to move funds from some bitcoin ATM installations, as well as to scan the logs in search for client private keys (not sure what precise functionality resorts to customers providing private keys, but that’s what the info states). See the complete details in the second link below.

The incident has afected both GB Cloud services, and some standalone servers from other operators. GB seems to have closed-down their cloud service (no indication on how long for), and is prompting their customers (companies) using their bitcoin ATMs to run their own standalone servers.

See:
https://www.cryptopolitan.com/general-bytes-atm-suffers-a-massive-hack/
https://generalbytes.atlassian.net/wiki/spaces/ESD/pages/2885222430/Security+Incident+March+17-18th+2023

[DaveF]

A new incident has affected General Bytes bitcoin ATMs these past couple of days. On this occasion, hackers managed to make away with around 1,5M $ in crypto. In order to do so, they managed to upload their own java software using a video uploading interface to the system, and execute it using the atm’s privileges.

The malware has so far allowed the hackers to move funds from some bitcoin ATM installations, as well as to scan the logs in search for client private keys (not sure what precise functionality resorts to customers providing private keys, but that’s what the info states). See the complete details in the second link below.

The incident has afected both GB Cloud services, and some standalone servers from other operators. GB seems to have closed-down their cloud service (no indication on how long for), and is prompting their customers (companies) using their bitcoin ATMs to run their own standalone servers.

See:
https://www.cryptopolitan.com/general-bytes-atm-suffers-a-massive-hack/
https://generalbytes.atlassian.net/wiki/spaces/ESD/pages/2885222430/Security+Incident+March+17-18th+2023

Now they are not just prompting but FORCING people to run the back end themselves.

This will keep them from getting massively hacked again, but at a guess a lot of the small BTAM operators that only have 1 or 2 machines are not going to stay in the game if they now have to run the server themselves. There is a baseline of knowledge and skill needed and it's now an additional unknown expense.

I wonder if some other operator will start offering the service.

Not something I would even want to think about doing considering the security implications.

-Dave

[Doan9269]

Despite the use of bitcoin ATMs is just getting a widespread, i think ithis can also be a shortfall on other side because am seing the occassion of this type as the first of it kind happening which will bring down the interest of bitcoiners in making use of the ATM as preferred over the normal use on other devices, if this has been generally noticed then it will be an unsecured means of engaging bitcoin transaction through the use of these operating systems, bitcoin ATMs should be as secured as expected than having a possible vulnerability for hacker and scammers to operate an attack through.

[DaveF]

From https://generalbytes.atlassian.net/wiki/spaces/ESD/pages/2885222430/Security+Incident+March+17-18th+2023

What happened

    The attacker identified a security vulnerability in the master service interface used by Bitcoin ATMs to upload videos to server.

    The attacker scanned the Digital Ocean cloud hosting IP address space and identified running CAS services on ports 7741, including the General Bytes Cloud service and other GB ATM operators running their servers on Digital Ocean (our recommended cloud hosting provider).

    Using this security vulnerability, attacker uploaded his own application directly to application server used by admin interface. Application server was by default configured to start applications in its deployment folder.

Is it just me but is having the sever that handles money start everything in a folder just asking for trouble. Any other breach that gets you access may or may not get you full access to everything. But if it just runs something without a specific reason to (other then it's in that folder and that's not a good reason) bad things are going to happen.

Look there is a file called auto_deploy_virus. Lets run it and see what happens.

-Dave