General Bytes Discloses Security Incident and $1.5 Million Bitcoin Theft
General Bytes (GB), a large cryptocurrency Automatic Teller Machine (ATM) manufacturer, disclosed on March 18, 2023, through Twitter that it suffered a "security incident" that resulted in the shutdown of various United States-based ATMs and the theft of approximately $1.5 million worth of bitcoin. General Bytes has approximately 15,000 ATMs located in over 149 countries around the globe, and a portion of the kiosks are "two-way," meaning that customers can exchange cash-for-crypto as well as crypto-for-cash. Karel Kyovsky, the founder of General Bytes, detailed in a statement released on March 19, that the security incident occurred from March 17 to March 18 and that the actor responsible "was able to upload his own java application remotely via the master service interface used by terminals to upload videos and run it using batm user privileges. "This was made possible by exploiting a zero-day vulnerability tracked as BATM-4780. Kyovsky also detailed that the actor "scanned the Digital Ocean cloud hosting IP address space and identified running CAS services on ports 7741, including the General Bytes Cloud service and other GB ATM operators running their servers on Digital Ocean. "After gaining initial access, the actors were able to access the database, read and decrypt API keys used to access funds in exchanges and hot wallets, send funds from hot wallets, exfiltrate usernames and password hashes, disable two-factor authentication, and access terminal event logs to scan for instances where customers scanned private keys at the ATMs. Technical mitigation details as well as indicators of compromise (IOCs) can be viewed in General Bytes' statement linked below.
- The Record: General Bytes Security Incident Article
- Bleeping Computer: General Bytes Security Incident Article
- General Bytes: Initial Tweet & Security Incident Statement
Threat Actor Activity
SideCopy APT Actors Target Indian Government Agency
In their latest campaign, threat actors from the SideCopy APT group have been explicitly targeting users working for India's Defense Research and Development Organization (DRDO). The SideCopy APT group operates out of Pakistan and frequently targets entities throughout Southern Asia, including Indian and Afghan government entities. SideCopy was named as such due to their mirror-like infection chain of Sidewinder; a threat group operating in India. Additional reports also indicate some attribution to the Transparent Tribe (APT36) group who may be the parent organization of SideCopy. In this recent campaign, threat actors disseminate phishing campaigns to DRDO employees containing a URL to a supposed DRDO-related missile PowerPoint. However, upon visiting the link, users unknowingly download a malicious payload from the Action Rat malware family. The malware uses a variety of cloaking mechanisms such as changing the name of the file to avoid anti-virus detection. The malware itself establishes a connection to actor-controlled command-and-control (C2) servers where a bulk of user device data is uploaded. This data contains a variety of system information including device hostname, account username, operating system, and installed anti-virus applications. In addition to information gathering, the malware can remotely execute a list of commands to pull down additional payloads, gather additional file system documents, and obtain hardware information. CTIX analysts urge users to validate the integrity of email correspondence prior to visiting any embedded URLs or downloading any attachments to lessen the risk of threat actor compromise.
Acropalypse Flaw Affecting Google Pixel Devices Allows Redacted and Cropped Screenshots to Be Restored to the Original Image
Two (2) security researchers have published a proof-of-concept (PoC) exploit for a critical API design vulnerability affecting Google Pixel devices. The flaw exists in the Android 9 Pie Markup utility which allows users to crop, edit, and redact images and screenshots. In the PoC published on Twitter, the Markup's pen tool is used to redact the card number from an image of a credit card, which is then exploited to partially recover the original image, clearly displaying the card number. A technical article from the 9to5Google website states that when an "image is cropped using Markup, it saves the edited version in the same file location as the original. However, it does not erase the original file before writing the new one. If the new file is smaller, the trailing portion of the original file is left behind, after the new file is supposed to have ended." The flaw tracked as CVE-2023-21036, has been coined "Acropalypse," and successful exploitation could allow approximately 80% of an edited screenshot to be recovered. This poses a great threat to Pixel users who may use the Markup utility to protect sensitive information, as well as their own identity and the identity of others. Along with the PoC exploit, the researchers have offered a free demo utility that allows Pixel users to test the exploit on their own redacted and cropped images. The flaw was first reported to Google in January 2023, and on March 13, 2023, the vulnerability was patched. It should be noted that although the patch defends new image edits, it will not protect edited screenshots from the past five (5) years. One of the researchers stated that he wrote a script to scrape his own message history and found many images he had sent over the years were vulnerable to exploitation. CTIX analysts recommend that all Google Pixel users should ensure that they are running the latest secure version of Android 9 to prevent the exploitation of future images. There is currently no answer on providing a solution that patches images that have already been taken. CTIX will monitor this matter and provide relevant updates if a solution is identified.
- Security Affairs: Acropalypse Article
- 9to5Google: Acropalypse Article
- Google Issue Tracker: Acropalypse Technical Report
Alleged BreachForums Owner “Pompompurin” Arrested on Cybercrime Charges
After the takedown of the RaidForums dark web hacker destination last year, BreachForums soon emerged in its place. The suspected administrator and owner of BreachForums, Pompompurin, is now in U.S. Federal custody. During his arrest in connection to operating the hacking platform, 21-year-old Connor Brian Fitzpatrick reportedly admitted to being the owner of the BreachForums cybercrime conclave and claimed the alias “Pompompurin.” FBI Special Agent John Longmire testified that “when I arrested the defendant on March 15, 2023, he stated to me in substance and in part that: a) his name was Conor Brian Fitzpatrick; b) he used the alias ‘pompourin,’ and c) he was the owner and administrator of ‘BreachForums,’ the data breach website referenced in the Complaint.” BreachForums was known to be the largest data leak forum on the market, a digital haven for cybercriminals, hackers, and ransomware gangs looking to sell or buy the caches of data stolen during hacks and breaches. Just last week, the platform was used to post the sensitive personal data of U.S. Congressional members and staff from the DC Health Link breach. A user who goes by the moniker “Baphomet” emerged claiming to be in the process of migrating the platform to new infrastructure. Baphomet also stated that he has enough access to protect BreachForums’ infrastructure and users, has taken steps to restrict access from Pompompurin’s account, and has been constantly monitoring logs to detect any signs of intrusive alterations. The actor named Baphomet is attempting to carry the torch that Pompompurin had once carried after the shutdown of their forebearer, RaidForums. It should be noted that on March 21, 2023, BreachForums was officially shut down, and can no longer be accessed. Baphomet posted a final message on the forum indicating the likely presence of Federal agents within the servers, and thus, the inability to operate in a safe manner. CTIX analysts will continue to monitor the situation and any migrating that occurs due to the shutdown.
- Bleeping Computer: Pompompurin Article
- The Record: Pompompurin Article
- Krebs on Security: Pompompurin Article
The semi-weekly Ankura Cyber Threat Investigations and Expert Services (CTIX) FLASH Update is designed to provide timely and relevant cyber intelligence pertaining to current or emerging cyber events. The preceding is a collection of cyber threat intelligence leads assembled over the past few days and typically includes high level intelligence pertaining to recent threat group/actor activity and newly identified vulnerabilities impacting a wide range of industries and victims. Please feel free to reach out to the Flash Team (firstname.lastname@example.org) if additional context is needed.
© Copyright 2023. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.