Bitcoin ATM manufacturer General Bytes had its servers compromised using a zero-day attack on August. 18, which enabled the online hackers to create the default admins and modify settings to ensure that all funds could be used in their wallet address.
The quantity of funds stolen and quantity of ATMs compromised is not disclosed but the organization has urgently advised ATM operators to update their software.
The hack was confirmed by General Bytes on August. 18, which operates and owns 8827 Bitcoin ATMs which are available in over 120 countries. The organization is headquartered in Prague, Czech Republic, also is in which the ATMs are produced. ATM customers can purchase or sell over 40 coins.
The vulnerability continues to be present because the hacker’s modifications updated the CAS software to version 20201208 on August. 18.
General Bytes has advised people to avoid utilizing their General Bytes ATM servers until they update their server to patch release 20220725.22, and 20220531.38 for purchasers running on 20220531.
Customers are also advised to change their server firewall settings so the CAS admin interface are only able to be utilized from approved IP addresses, amongst other things.
Before reactivating the terminals, General Bytes also advised people to review their ‘SELL Crypto Setting’ to make sure that the online hackers didn’t customize the settings so that any received funds would rather be used in them (and never the shoppers).
General Bytes mentioned that several security audits have been conducted since its beginning in 2020, none which identified this vulnerability.
The way the attack happened
General Bytes’ security advisory team mentioned within the blog the online hackers conducted a zero-day vulnerability attack to get into their Crypto Application Server (CAS) and extract the funds.
The CAS server manages the ATM’s entire operation, including the execution of exchanging of crypto on exchanges and which coins are supported.
Related: Vulnerable: Kraken reveals many US Bitcoin ATMs still use default admin QR codes
The organization believes the online hackers “scanned for uncovered servers running on TCP ports 7777 or 443, including servers located on General Bytes’ own cloud service.”
After that, the online hackers added themselves like a default admin around the CAS, named ‘gb’, after which began to change the ‘buy’ and ‘sell’ settings so that any crypto received through the Bitcoin ATM would rather be used in the hacker’s wallet address:
“The attacker could create an admin user remotely via CAS administrative interface using a URL ask the page which is used for that default installation around the server and allowing the first administration user.”