Topic: Ongoing - Hackers manage to steal crypto from customers of General Bytes ATMs (Read 400 times)

From https://generalbytes.atlassian.net/wiki/spaces/ESD/pages/2885222430/Security+Incident+March+17-18th+2023


Is it just me but is having the sever that handles money start everything in a folder just asking for trouble. Any other breach that gets you access may or may not get you full access to everything. But if it just runs something without a specific reason to (other then it's in that folder and that's not a good reason) bad things are going to happen.

Look there is a file called auto_deploy_virus. Lets run it and see what happens.

-Dave

Despite the use of bitcoin ATMs is just getting a widespread, i think ithis can also be a shortfall on other side because am seing the occassion of this type as the first of it kind happening which will bring down the interest of bitcoiners in making use of the ATM as preferred over the normal use on other devices, if this has been generally noticed then it will be an unsecured means of engaging bitcoin transaction through the use of these operating systems, bitcoin ATMs should be as secured as expected than having a possible vulnerability for hacker and scammers to operate an attack through.

Now they are not just prompting but FORCING people to run the back end themselves.

This will keep them from getting massively hacked again, but at a guess a lot of the small BTAM operators that only have 1 or 2 machines are not going to stay in the game if they now have to run the server themselves. There is a baseline of knowledge and skill needed and it's now an additional unknown expense.

I wonder if some other operator will start offering the service.

Not something I would even want to think about doing considering the security implications.

-Dave

A new incident has affected General Bytes bitcoin ATMs these past couple of days. On this occasion, hackers managed to make away with around 1,5M $ in crypto. In order to do so, they managed to upload their own java software using a video uploading interface to the system, and execute it using the atm’s privileges.

The malware has so far allowed the hackers to move funds from some bitcoin ATM installations, as well as to scan the logs in search for client private keys (not sure what precise functionality resorts to customers providing private keys, but that’s what the info states). See the complete details in the second link below.

The incident has afected both GB Cloud services, and some standalone servers from other operators. GB seems to have closed-down their cloud service (no indication on how long for), and is prompting their customers (companies) using their bitcoin ATMs to run their own standalone servers.

See:
https://www.cryptopolitan.com/general-bytes-atm-suffers-a-massive-hack/
https://generalbytes.atlassian.net/wiki/spaces/ESD/pages/2885222430/Security+Incident+March+17-18th+2023

Going with very little liquidity. There really is no reason to have much sitting in there for most people. AND if GB sent out emails and texts although servers may not have been updated / patched they may have just taken them offline or moved the funds ASAP.

I wonder if we are going to see a lot of cheap BATMs on the market soon.

-Dave

Bear in mind though that the amount stolen is really in crypto (the USD amount is a counter value), having obtained it by changing crypto address configuration in the servers that are run by the different operators. General Bytes sells/provides the bitcoin ATM machines, but each operator (company) then has to set-up either their server solution either on the GB Cloud or as a standalone server, in order to operate the operator’s ATMs.

The incident is on-going, and we really have no progress report (and might not get to see one) on the number of installations that have patched their servers and reviewed their firewall settings. That still leaves time for slow operators, potentially with lesser technical personnel due to summer holidays, to still leave a window of time for these attacks to still take place. Presumably, those using a Cloud solution will certainly be patched, but there’s no telling what is going on with the stand-alone CAS servers.

Only $16,000 stolen? That means either these hackers must be very cheap (like its some teenager getting cash for a new PC), or General Bytes ATMs have almost no liquidity in them.

Historically.

There have always been rumors of ATMs being designed and manufactured by shell companies with ties to organized crime. There have been a number of articles and journalistic pieces published on this topic that I've seen over the years. One way credit card numbers are stolen could be through compromised ATMs which scan the numbers.

In Kevin Mitnick's book The Art of Deception it was claimed more than 80% of electronic attacks are inside jobs. Current employees or former disgruntled employees are typically the number #1 suspects.

There have been a large number of similar hacks over the past 10 years. Enough for it to be called a trend or pattern. If you put the pieces together, what do you get? It would appear that its increasingly more important to vet the people running the operation today. Moreso than it was in past years.

Minor information update from today concerning this incident:

The Czech Republic is where the company, General Bytes, hosts its headquarters, so the above initial figure is not going to be specific to the country, but likely and aggregate sum across multiple countries, without and further details on the geographical distribution of the (so far known to them) affected operators.

well im seeing at least 3-5 hack news that happen in crypto in a month from rugpull hacking bridge smart contract and etc the blockchain Is proofable that safe but the system we are using to connect with the chain seems not safe at all

but we must stand up because with hacker showed up meaning we can make even better security to platform

Cyber and ATM theft has always been right from time and I realize the more you keep sealing the loop holes, the more these  dudes gets everyone traumatized; this ain't gonna stop but can definitely be controlled...I don't understand how archaic the program runs to the point that the GB serves as theft preference .
It is not nice to hear that people are loosing Funds; it makes the insurance made to engulf the interest of the masses for utmost security run on the contrary. So maybe it's the bank's fault for fixing wrongly programmed synchronization, I'd say it should be fixed

Sandra ❣️

"general bytes servers"

hmm doesnt sound much like hackers went to each individual ATM and then sussed out customers keys..

sounds more like the operator done key control or GB did. so its operator or GB fault and loss not the customer.

ATM's should never have private keys and should never hadn customers keys as that means more then just the customer has the keys..

a good ATM should only ask for a QR code of a public address the customer wants funds sent to.

i hope all ATM's learn from this and implement better security to not require recipient keys nor required to create recipient keys

Actually the ATM operator can run the software and GB is never involved at all. They do provide the back end software, but so does every BATM operator.

I used to run the back end for client and everything was was internal to them.

Unless something has changed since early 2019 and it does not look like it at a quick glance.

-Dave

we can word it another way

because GB creates the privatekeys of addresses GB funds. which they then hands keys to customers..
the funds are actually still GB as it was always GB keys used.
because its not a customers own privately generated privkey, the customer should technically not be classed as the victim.
and instead treated as:
'customer have yet to receive funds they can withdraw to their own key'
'customer withdrawals to personal addresses delayed/halted due to hack of GB funds'
the hack in this topic is where GB lost coin, but wants to suggest users lost it by suggesting the GB wont pay users out again.
instead they suggest that customers have lost and customers have to suffer the loss

GB should fix the loophole/backdoor.
(EG if a customer just provides a public address for a ATM to pay. and then GB pays that address.. customers can SAFELY receive funds without a hacker ever getting privkey access to move funds elsewhere. because GB wont ever have the privkey for a hacker to then action on)

and once fixing the backdoor. then pay customers what the customer deserve to be paid.

no service of any kind. should be offering a service to pay btc to a customer where that payment is a keypair the service still has control of.
a true withdrawal should be asking for a customer to provide a customers personal address. without the service ever knowing the private key

Hmmm...

https://bitcointalksearch.org/topic/2021-09-30-kraken-security-labs-identifies-vulnerabilities-in-bitcoin-atms-5363819

From the GB page about the current issue:


From Kraken:

So I guess the question is exactly how many vulnerabilities are there?
Yes, I know it's impossible to know but they do seem to have had a bunch.

The question is will GB help the operators pay the customers back for lost funds?

-Dave

CoinATMRadar makes it 8.827 bitcoin ATMs installed by the producer General Bytes, second largest worldwide …

According to reports and General Bytes themselves (see referenced links below), hackers have managed to steal crypto from bitcoin ATM users by exploiting a zero-day vulnerability present in General Bytes Servers.

The second link below (18/08/2022) states that:

This means that hackers were able to create an admin account on some of the CAS (Crypto Application Server), and then modify the parameters related to the addresses on the buy and sell configuration sections, thus diverting crypto TX funds to themselves. I presume each corporation that has one or more of GB ATMs runs their own instance of a CAS.

GB asks for GB ATMs to be non-operational until a set of two server patches have been applied (20220531.38 and 20220725.22.). Furthermore, they ask operators to check their firewall settings to allow access only from known IPs (i.e. offices, homes and ATMs I presume).

In addition, apparently:

BleepingComputer’s article references a source that seemingly indicates that there are still 18 vulnerable CAS, essentially in Canada. Nevertheless, the link to the source is no longer rendering results, and I wouldn’t be sure that the info is not local and focusing on Canada alone to begin with. Other than that, there is no info on the extent.


For bitcoin ATM users, it would be a seemingly good idea to check with the support of those ATMs corporations hosting GB bitcoin ATMs whether they’ve applied the said patches, before using GB ATMs is the coming days (supposing that is the definite solution to the exploit).

Anyone had any issued of the kind with GB ATMs for the last few days (or them being off-line presumably due to these events)?

See:
https://www.bleepingcomputer.com/news/security/hackers-steal-crypto-from-bitcoin-atms-by-exploiting-zero-day-bug/
https://generalbytes.atlassian.net/wiki/spaces/ESD/pages/2785509377/Security+Incident+August+18th+2022