Hacker Exploits Months-Old Bug to Steal Crypto From ATMsNow-Patched Bug Allowed Thief to Remotely Steal User Passwords, Private Keys
A Bitcoin ATM manufacturer suspended cloud services supporting more than 15,000 machines after a hacker exploited a vulnerability in its software and made off with cryptocurrency worth millions of dollars.
A hacker on Friday and Saturday exploited the now-patched bug in Prague-based General Bytes' master service interface to access passwords, private keys of ATM users and their hot wallets - digital wallets connected to the internet.
The hacker exploited the vulnerability on the master service interface, which the company uses to upload security videos from the ATMs to its servers, to remotely run a Java application on its terminals. With unauthorized access to the company's database, the hacker could read and decrypt API keys to get their hands on funds in hot wallets and exchanges, send the funds to a wallet of their choice from the compromised hot wallets, download user names and password hashes and turn off two-factor authentication, and access terminal event logs to find instances in which customers scanned their private keys at the ATM.
General Bytes did not specify the amount the hacker stole, but on-chain data suggests the number is likely to be around $1.54 million.
The vulnerability, which "multiple" security auditors have missed since 2021, affects General Bytes' cloud service along with the operator's stand-alone servers.
General Bytes released two patches for its Crypto Application Server. It advised the operators of its ATMs to review the server's users and the permissions they're allowed, delete unauthorized ones and reset passwords for the rest. The operators must ensure that the attacker has not changed the default receiver crypto wallet to their own wallet, the company said.