Hackers exploited a zero-day vulnerability in General Bytes Bitcoin ATM servers to steal cryptocurrencies from customers.
When a customer deposits or buys cryptocurrencies through an ATM, the funds are instead siphoned off by hackers.
General Bytes is a maker of Bitcoin ATMs that allow you to buy or sell over 40 different cryptocurrencies depending on the product.
Bitcoin ATMs are remotely controlled Encryption application server (CAS) performs ATM operations, supported cryptocurrencies, and buying and selling cryptocurrencies on exchanges.
Hacker zero-day attack on CAS
Yesterday, BleepingComputer was informed by a General Bytes customer that hackers were stealing bitcoins from ATMs.
According to General Bytes’ security advisory published on August 18, the attack was carried out using a zero-day vulnerability in the company’s Crypto Application Server (CAS).
“The attacker was able to remotely create an administrative user through the CAS administration interface via a default installation on the server and a URL call to the page used to create the initial administrative user.” Read the General Bytes advisory.
“This vulnerability exists in CAS software starting with version 20201208.”
General Bytes believes the attackers scanned the Internet for exposed servers running on TCP ports 7777 or 443, including those hosted on Digital Ocean and General Bytes’ own cloud services. increase.
The attacker then exploited the bug to add a default admin user named ‘gb’ to the CAS and change the ‘Purchase’ and ‘Sell’ cipher settings and ‘Invalid payment address’ to allow the hacker used a cryptocurrency wallet under the control of
Once the attackers changed these settings, all cryptocurrencies received by CAS were transferred to the hackers instead.
“The two-way ATM began transferring coins to the attacker’s wallet as customers sent coins to the ATM,” the security advisory explains.
General Bytes warns customers not to operate Bitcoin ATMs until they have applied two server patch releases, 20220531.38 and 20220725.22, to their servers.
they again, Checklist of steps Before restarting the service, it should run on the device.
It is important to remember that if the server was firewalled to allow connections only from trusted IP addresses, the attackers would not have been able to carry out these attacks.
therefore, Configure firewall Only allow access to the Crypto Application Server from trusted IP addresses, such as ATM locations or customer offices.
According to the information provided, Binary Edgethere are currently 18 General Bytes Crypto Application Servers still open to the Internet, the majority of which are located in Canada.
It is unknown how many servers were compromised using this vulnerability and how much cryptocurrency was stolen.
BleepingComputer contacted General Bytes yesterday to ask more questions about the attack, but did not receive a response.