Hackers exploit zero-day bug to steal General Bytes Bitcoin ATMs

Bitcoin ATM maker General Bytes had its servers compromised via a zero-day attack on August 18, which allowed hackers to make themselves ...

Bitcoin ATM maker General Bytes had its servers compromised via a zero-day attack on August 18, which allowed hackers to make themselves the default administrators and change settings so that all funds were transferred to their wallet address.

The amount of funds stolen and the number of ATMs compromised were not disclosed, but the company urgently advised ATM operators to update their software.

The hack was confirmed by General Bytes on August 18, which owns and operates 8,827 Bitcoin ATMs accessible in more than 120 countries. The company is headquartered in Prague, Czech Republic, where ATMs are also manufactured. ATM customers can buy or sell more than 40 coins.

The vulnerability has been present since hacker modifications updated CAS software to version 20201208 on August 18.

General Bytes has urged customers to refrain from using their General Bytes ATM servers until they update their server with patch version 20220725.22 and 20220531.38 for customers running on 20220531.

Customers have also been advised to modify their server’s firewall settings so that the CAS administration interface can only be accessed from authorized IP addresses, among others.

Before reactivating the terminals, General Bytes also reminded customers to review their “SELL Crypto Setting” to ensure that the hackers had not changed the settings so that any funds received would instead be transferred to them (and not to clients).

General Bytes said that several security audits had been conducted since its inception in 2020, none of which identified this vulnerability.

How did the attack happen

General Bytes’ security consulting team said in the blog that hackers carried out a zero-day vulnerability attack to gain access to the company’s Crypto Application Server (CAS) and extract funds.

The CAS server handles the entire ATM operation, which includes executing the buying and selling of crypto on supported exchanges and coins.

Related: Vulnerable: Kraken Reveals Many US Bitcoin ATMs Still Use Admin QR Codes By Default

The company believes the hackers “scanned for exposed servers running on TCP ports 7777 or 443, including servers hosted on General Bytes’ own cloud service.”

From there, the hackers added themselves as a default administrator on the CAS, named “gb”, and then proceeded to modify the “buy” and “sell” settings so that any crypto received by the ATM automatic Bitcoin is instead transferred to the hacker. wallet address:

“The attacker was able to create an administrator user remotely through the CAS administration interface via a URL call to the page used for the default installation on the server and create the first administration user.”