Hackers have exploited a zero-day vulnerability in General Bytes Bitcoin ATM servers to steal cryptocurrency from customers.
When customers would deposit or purchase cryptocurrency via the ATM, the funds would instead be siphoned off by the hackers
General Bytes is the manufacturer of Bitcoin ATMs that, depending on the product, allow people to purchase or sell over 40 different cryptocurrencies.
The Bitcoin ATMs are controlled by a remote Crypto Application Server (CAS), which manages the ATM’s operation, what cryptocurrencies are supported, and executes the purchases and sales of cryptocurrency on exchanges.
Hackers exploit CAS zero-day
Yesterday, BleepingComputer was contacted by a General Bytes customer who told us that hackers were stealing bitcoin from their ATMs.
According to a General Bytes security advisory published on August 18th, the attacks were conducted using a zero-day vulnerability in the company’s Crypto Application Server (CAS).
“The attacker was able to create an admin user remotely via CAS administrative interface via a URL call on the page that is used for the default installation on the server and creating the first administration user,” reads the General Bytes advisory.
“This vulnerability has been present in CAS software since version 20201208.”
General Bytes believes that the threat actors scanned the internet for exposed servers running on TCP ports 7777 or 443, including servers hosted at Digital Ocean and General Bytes’ own cloud service.
The threat actors then exploited the bug to add a default admin user named ‘gb’ to the CAS and modified the ‘buy’ and ‘sell’ crypto settings and ‘invalid payment address’ to use a cryptocurrency wallet under the hacker’s control.
Once the threat actos modified these settings, any cryptocurrency received by CAS was forwarded to the hackers instead.
“Two-way ATMs started to forward coins to the attacker’s wallet when customers sent coins to ATM,” explains the security advisory.
General Bytes is warning customers not to operate their Bitcoin ATMs until they have applied two server patch releases, 20220531.38 and 20220725.22, on their servers.
They also provided a checklist of steps to perform on the devices before they are put back into service.
It is important to remember that the threat actors would not have been able to perform these attacks if the servers were firewalled only to allow connections from trusted IP addresses.
Therefore, it is vital to configure firewalls only to allow access to the Crypto Application Server from a trusted IP address, such as from the ATM’s location or the customer’s offices.
According to information provided by BinaryEdge, there are currently eighteen General Bytes Crypto Application Servers still exposed to the Internet, with the majority located in Canada.
It is unclear how many servers were breached using this vulnerability and how much cryptocurrency was stolen.
BleepingComputer contacted General Bytes yesterday with further questions about the attack but did not receive a response.
