On August 18th, the servers of Bitcoin ATM maker General Bytes were compromised in a zero-day attack, with hackers making themselves the default administrators and setting all funds to be transferred to their wallet addresses.
The number of stolen funds and the number of compromised ATMs were not disclosed, but the company is urging its ATM operators to update their software.
This hack was confirmed by General Bytes on August 18th. Which owns and operates 8,827 Bitcoin ATMs available in over 120 countries. The company is headquartered in Prague, Czech Republic and also manufactures ATMs. ATM customers can buy or sell 40 or more coins.
The vulnerability has existed since hackers updated the CAS software to version 20201208 on August 18th.
General Bytes has advised customers to refrain from using General Bytes ATM servers until they update their servers with patch versions 20220725.22 and 20220531.38 for customers running 20220531.
The customer is also required to modify the server’s firewall settings to allow access to the CAS administration interface, and only from allowed IP addresses.
Before reactivating the device, General Bytes asked customers to check their “SELL Crypto Settings” to ensure that the hackers had changed the settings in such a way that all received funds were transferred to them (and not to the customer).
General Bytes says it has had multiple security reviews since its inception in 2020, none of which have identified the vulnerability.
General Bytes’ security consulting team said in a blog that hackers performed a zero-day exploit to gain access to the company’s Crypto Application Server (CAS) and extract the funds.
The CAS server handles the entire ATM operation, including performing cryptocurrency buying and selling on supported exchanges and coins.
The company believes the hackers “scanned for exposed servers running on TCP ports 7777 or 443, including servers hosted on General Bytes’ own cloud service.”
From there, the hackers added themselves as a default admin on the CAS, named gb, and then proceeded to modify the “buy” and “sell” settings so that cryptocurrencies received at Bitcoin ATMs would instead be transferred to the hacker’s wallet address:
“The attacker was able to create an admin user remotely via CAS administrative interface via a URL call on the page that is used for the default installation on the server and creating the first administration user.”
Leave a Reply