Over the weekend, General Bytes disclosed that customers' and the company's CASes had lost more than $1.5 million worth of bitcoin. An unidentified threat actor used this interface to upload and run a malicious Java application in order to pull off the heist. This threat actor did so by taking advantage of a previously unidentified vulnerability. The actor then took around 56 Bitcoin, or $1.5 million, from several hot wallets. 15 hours after becoming aware of the vulnerability, General Bytes patched it, but the losses were irrecoverable because of how cryptocurrencies operate.
The hacker gained access to the company's database as a result of the attack, reading and decrypting API keys that are used to transmit money from hot wallets and exchanges and access cash there as well as download user names and password hashes. Then turn off 2FA
The General Bytes Cloud service and other GB ATM operators running their servers on Digital Ocean (our preferred cloud hosting provider) were among the CAS services running on ports 7741 that the attacker discovered, according to General Bytes in a security incident disclosure.
The business released a statement on Twitter advising users to "take immediate action" and install the most recent updates in order to stop hackers from getting access to customers' servers and money.
To prevent hackers from accessing customers' servers and money, the company posted a message on Twitter urging users to "take quick action" and install the most recent upgrades.
The threat actors gained access to the following actions on infected devices after uploading the Java application:
- the capacity to use the database.
- having the ability to read and decode the API keys needed to access funds on popular exchanges and wallets.
- Transfer money using popular wallets.
- Turn off 2FA and download user names and password hashes.
- The ability to search terminal event logs for any evidence of ATM user private key scanning. Previous iterations of the ATM software were logging this information.
After learning that the attacks had put both its cloud service and its clients at risk, General Bytes issued a warning.
In addition to the IP addresses used in the March 17–18, 2023 hack, General Bytes discovered three other IP addresses utilised by the hacker. Although their organization's system has been compromised, the insider told Bitcoin.com News on Saturday night that they still run a full node that is "locked down sufficiently" to prevent the attacker from collecting money.