by Hackers used a zero-day to steal $1.5 million worth of cryptocurrency from Bitcoin ATM machines. The hackers targeted bitcoin ATMs (BATMs) sold by General Bytes, which allow people to exchange bitcoins. BATM is connected to a Cryptocurrency Application Server (CAS). For unknown reasons, BATM provides an option to allow customers to upload video from the terminal to the CAS through the main server interface. The attacker used this interface to upload and execute a malicious Java application, transferring all cryptocurrencies from various hot wallets, a total of 56 BTC, worth about $1.5 million. General Bytes has released a patch to fix the vulnerability, but the cryptocurrency is irretrievable.
https://arstechnica.com/?p=1925695
