Cyber Incident Victim: CommScope
Date:
Mar 2023
Location:
United States of America
Summary
A cryptocurrency ATM manufacturer experienced a breach due to a zero-day vulnerability in its management platform, enabling attackers to remotely upload malicious Java applications on servers. The exploit allowed unauthorized database access, decryption of hot wallet API keys, fund theft, user credential exfiltration, and two-factor authentication deactivation. Threat actors stole approximately $1.5 million in cryptocurrency from both the company and its customers, leveraging cloud-hosted servers to execute scans and deploy malware. The incident prompted immediate server updates, password resets, API key invalidations, and permanent discontinuation of the cloud service. Security patches were issued, though previous audits had failed to identify the exploited flaw.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On March 17, 2023, threat actors began exploiting a zero-day vulnerability (BATM-4780) in General Bytes’ Crypto Application Server (CAS) platform, impacting both the company’s cloud service and customers' standalone Bitcoin ATM management servers. The attackers conducted scans of Digital Ocean’s IP address space to identify CAS instances running on port 7741, targeting the cloud infrastructure General Bytes recommended for operators. Upon identifying vulnerable systems, they remotely uploaded malicious Java applications via the master service interface, executing them under 'batm' user privileges. This granted unauthorized access to databases, enabling theft of decrypted API keys for cryptocurrency hot wallets and exchanges, user passwords (hashed), terminal event logs, and the ability to disable two-factor authentication. Compromised systems allowed attackers to transfer funds directly from wallets and export private keys logged by older ATM software versions. Through these actions, the hackers siphoned 56.28 BTC (approximately $1,589,000) and 21.79 ETH (roughly $39,000) starting March 17, later converting the Ethereum to USDT via Uniswap while retaining the Bitcoin. General Bytes detected the intrusion through suspicious activity but noted attackers attempted to delete log entries in "master.log" and "admin.log" files to obscure their footprint.
General Bytes publicly disclosed the breach over the weekend of March 25-26, 2023, urging immediate server upgrades and forensic reviews of log gaps or unknown .war/.war.deployed files in deployment directories. The company invalidated all existing credentials, instructing operators to reset CAS passwords, API keys, and user passwords universally. It released security patches (versions 20221118.48 and 20230120.44) to address BATM-4780, acknowledging prior audits since 2021 failed to detect the flaw. Concurrently, General Bytes announced it would discontinue its cloud service, citing insurmountable security risks in multi-tenant environments, and assisted customers migrating to standalone CAS instances protected by firewalls and VPNs. This marked the second major breach within eight months, following an August 2022 zero-day exploit against ATM servers. The company committed to conducting layered third-party security audits to preempt future vulnerabilities, though confirmed losses totaled approximately $1.5 million across its infrastructure and customer assets.