Hackers have exploited a zero-day vulnerability in the General Bytes Bitcoin ATM servers, allowing them to steal cryptocurrency from customers who purchased or deposited bitcoin through these ATMs.
Hackers Exploit General Bytes Bitcoin ATMs to Steal Funds
General Bytes, a manufacturer of Bitcoin ATMs, had its servers compromised on August 18 by a zero-day exploit, allowing hackers to make themselves the default admins and adjust settings such that all funds were transferred to their wallet address.
The amount of money stolen and the number of ATMs affected have not been reported; however, the company has urged ATM operators to update their software promptly.
The hack was confirmed on August 18 by General Bytes, which owns and manages 8827 Bitcoin ATMs in more than 120 countries. The company’s headquarters are in Prague, Czech Republic, where the ATMs are also manufactured. Customers using ATMs can buy or sell more than 40 coins.
The vulnerability has been existing since August 18, when the hacker’s alterations updated the CAS software to version 20201208.
Customers have been advised not to use their General Bytes ATM servers until their servers have been updated to patch releases 20220725.22 and 20220531.38 for customers operating on 20220531.
Customers have also been urged to change their server firewall configurations so that the CAS admin interface is accessible only from authorized IP addresses.
General Bytes further cautioned customers to review their “SELL Crypto Setting” before rebooting the terminals to ensure that the hackers did not change the settings so that any received funds were instead sent to them (and not the customers).
Since its inception in 2020, General Bytes has undergone multiple security audits, none of which have detected this vulnerability.
Hackers Exploit Zero-day Vulnerability in CAS
According to General Bytes’ security advisory team, the hackers used a zero-day vulnerability exploit to obtain access to the company’s Crypto Application Server (CAS) and siphon the fund.
The CAS server administers the whole operation of the ATM, including the execution of buying and selling crypto on exchanges and which coins are supported.
According to the company, the hackers “scanned for exposed servers running on TCP ports 7777 or 443, including servers hosted on General Bytes’ own cloud service.”
The hackers then registered themselves as a default admin on the CAS, naming themselves gb, and then modified the “buy” and “sell” settings such that any cryptocurrency received by the Bitcoin ATM was instead transferred to the hacker’s wallet address:
The attacker was able to create an admin user remotely via CAS administrative interface via a URL call on the page that is used for the default installation on the server and creating the first administration user.
Last year, crypto exchange Kraken released a report from its Security Labs team stating that the General Bytes BATMTwo ATM range has “multiple hardware and software vulnerabilities.” Kraken stated that if bad actors gain access to the administration tool, they can compromise any Bitcoin ATM they approach.
Following Kraken’s disclosure of the vulnerabilities, General Bytes issued a warning to its users.