Cyber Incident Victim: General Bytes
Date:
Mar 2023
Location:
United States of America
Summary
A leading Bitcoin ATM manufacturer experienced a security breach where attackers exploited a zero-day vulnerability in its platform management interface, enabling unauthorized Java application uploads to servers. The compromise allowed database access, decryption of hot wallet API keys, cryptocurrency theft, password hash extraction, and 2FA disablement. Impact extended to the company’s cloud service and standalone customer servers, with losses totaling approximately $1.63 million across Bitcoin and Ethereum. Attackers identified targets by scanning specific cloud hosting IP ranges. Following the incident, authorities urged server operators to update software, invalidate credentials, and migrate from cloud services, while the company discontinued its cloud offering and issued patches addressing the flaw. Previous security audits had not detected the vulnerability.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On March 17, 2023, attackers exploited a zero-day vulnerability (tracked as BATM-4780) in General Bytes’ Crypto Application Server (CAS) platform, initiating a theft of approximately $1.5 million in cryptocurrency from the company and its customers. The hackers scanned Digital Ocean cloud IP addresses to identify CAS instances running on port 7741, targeting both General Bytes’ cloud service and standalone servers operated by customers. Upon locating exposed systems, they remotely uploaded malicious Java applications through the master service interface, executing these with ‘batm’ user privileges. This unauthorized access enabled attackers to read and decrypt API keys for hot wallets and exchanges, transfer funds from those wallets, download username and password hash data, disable two-factor authentication (2FA), and access terminal event logs containing sensitive historical information, including instances where customers scanned private keys at ATMs in older software versions. The attackers systematically covered their tracks by deleting log entries, creating gaps in the "master.log" and "admin.log" files. Compromised servers stored malicious files in the "/batm/app/admin/standalone/deployments/" directory as randomly named .war and .war.deployed artifacts. Cryptocurrency addresses linked to the breach revealed thefts totaling 56.28570959 Bitcoin (approximately $1,589,000) and 21.79436191 Ethereum (approximately $39,000), with the latter converted to USDT via Uniswap. General Bytes confirmed its cloud service and multiple standalone operator servers were breached.
General Bytes responded by urging immediate server upgrades to patched versions 20221118.48 and 20230120.44, instructing operators to audit logs for irregularities and scan for malicious files. The company mandated password resets for all users and revocation of compromised API keys. It also permanently discontinued its cloud service, citing inherent security risks in multi-operator environments, and assisted customers in migrating to standalone CAS instances protected by firewalls and VPNs. The breach constituted General Bytes’ second major security incident within eight months, following an August 2022 zero-day exploitation. Despite prior audits in 2021 and Kraken researchers identifying unrelated vulnerabilities in 2021, which were patched, the BATM-4780 flaw remained undetected. The company announced plans to implement intensive third-party audits to identify additional vulnerabilities, acknowledging the persistent risk of financial loss for operators and users due to the exposure of decrypted keys and user credentials. The attacker’s Bitcoin wallet retained the stolen funds as of the disclosure date.