Hackers Take Advantage Of Zero-Day Bug To Steal From General Bytes Bitcoin ATMs

Hackers Take Advantage Of Zero-Day Bug To Steal From General Bytes Bitcoin ATMs

Bitcoin ATM manufacturer General Bytes had its servers compromised in a zero-day attack on August 18, allowing the hackers to make themselves the default administrators and change settings so that all funds would be transferred to their wallet address.

The amount of money stolen and the number of ATMs compromised have not been disclosed, but the company has strongly advised ATM operators to update their software.

The hack was confirmed on August 18 by General Bytes, which owns and operates 8827 Bitcoin ATMs accessible in more than 120 countries. The company’s headquarters are located in Prague, Czech Republic, where the ATMs are also manufactured. ATM customers can buy or sell more than 40 coins.

The vulnerability has been present since the hacker’s tweaks updated the CAS software to version 20201208 on August 18.

General Bytes has urged customers not to use their General Bytes ATM servers until they update their server to patch releases 20220725.22 and 20220531.38 for customers running on 20220531.

Customers have also been advised to change their server firewall settings so that the CAS admin interface can only be accessed from authorized IP addresses, among other things.

Before reactivating the terminals, General Bytes also reminded customers to review their “SELL Crypto Setting” to make sure the hackers wouldn’t change the settings in such a way that received money instead to them (and not to them). the customers) would be transferred.

General Bytes stated that several security audits have been conducted since its launch in 2020, which failed to identify this vulnerability.

How the attack happened?

General Bytes’ security advisory team stated in the blog that the hackers carried out a zero-day vulnerability attack to access the company’s Crypto Application Server (CAS) and extract the funds.

The CAS server manages the entire operation of the ATM, including the execution of buying and selling crypto on exchanges and which coins are supported.

Related: Vulnerable: Kraken Reveals Many US Bitcoin ATMs Still Use Standard QR Codes For Administrators

The company believes the hackers “scanned exposed servers running on TCP ports 7777 or 443, including servers hosted on General Bytes’ own cloud service.”

From there, the hackers added themselves as a default administrator on the CAS, called gb, and then proceeded to change the “buy” and “sell” settings so that any crypto received by the Bitcoin ATM would be replaced instead. would be transferred to the hacker’s wallet address:

“The attacker was able to create an admin user remotely through the CAS administration interface via a URL call on the page used for the default installation on the server and creating the first administration user.”