Hackers exploited a zero-day vulnerability in General Byte’s Bitcoin ATM servers to steal customers’ cryptocurrency.
Several General Bytes bitcoin ATMs have been infected with a zero-day vulnerability that allows hackers to steal cryptocurrencies deposited by users. BleepingComputer reported on this.
Recently, a group of anonymous hackers used a zero-day exploit in General Byte’s Bitcoin ATM servers to steal BTC from multiple clients. Once customers buy or deposit bitcoins through these ATMs, the zero-day vulnerability allows hackers to divert the funds to their own wallets.
General Bytes is one of the largest manufacturers of cryptocurrency ATMs. There are currently almost nine thousand crypto ATMs installed worldwide, allowing to buy, sell or deposit more than 40 different cryptocurrencies. These ATMs are controlled by a remote Crypto Application Server (CAS). The servers directly handle all device operations, including real-time processing of cryptocurrency purchases and sales.
Hackers exploit zero-day CAS
GeneralBytes has confirmed the exploitation of a server vulnerability that has resulted in downtime and Bitcoin theft on some of its Bitcoin ATMs. As a result, the attackers were apparently able to remotely create an administrator user account through the CAS administration panel. They exploited a vulnerability that existed and went unnoticed until now.
“An attacker was able to create an administrative user via the CAS administration interface via a URL call to the page used for the default installation on the server and the creation of the first administrative user.
This vulnerability has been present in CAS software since version 20201208.”
After creating the fake administrator account, dubbed “gb”, the hackers were able to modify the “buy” and “sell” settings on the ATM servers and redirect payments to an external cryptocurrency wallet they controlled.
According to the company, this vulnerability has been present in CAS software since the previous version. The General Bytes team believes the hackers scoured the Internet for exposed servers running on TCP ports 443 or 7777. These include servers hosted by Digital Ocean and General Bytes’ own cloud service.
General Bytes later warned its customers not to use their Bitcoin ATMs until they applied two updated server patches. Eighteen servers are currently affected by General Bytes, which might be vulnerable to a zero-day exploit. The majority of these exposed servers are located in Canada. Additionally, General Bytes has also provided a checklist of steps that users should follow while using their services.
