Threat actors have exploited a zero-day bug in the General Bytes Bitcoin ATM servers that allowed them to steal cryptocurrency from customers who purchased or deposited bitcoin through these ATMs.
General Bytes is currently one of the largest Bitcoin, Blockchain, and Cryptocurrency ATM manufacturers with over 9,000 crypto ATMs installed throughout the world. Based on the product, it allows people to buy, trade, or deposit over 40 different cryptocurrencies.
The Bitcoin ATMs manufactured by the company is controlled by a remote Crypto Application Server (CAS), which manages the ATM’s entire operation, including which cryptocurrencies are supported, real-time buying and selling of crypto on exchanges, and adding or delisting coins for transactions.
In an advisory published by General Bytes on August 18th, the company acknowledged the existence of a zero-day flaw and said that the attacker abused a security vulnerability in the CAS admin interface.
“The attacker was able to create an admin user remotely via CAS administrative interface via a URL call on the page that is used for the default installation on the server and creating the first administration user. This vulnerability has been present in CAS software since version 20201208,” reads the General Bytes advisory.
General Bytes believes that the hackers scanned Digital Ocean cloud hosting IP address space and identified running CAS services on ports 7777 or 443, including servers hosted at Digital Ocean and General Bytes’ own cloud service.
Using this security vulnerability, the threat actors then created a new default admin user, organization, and terminal. Later, they accessed the CAS interface and renamed the default admin user to ‘gb’, and modified the crypto settings of two-way machines with their wallet settings and the ‘invalid payment address’ setting.
These modified settings allowed the attackers to forward any cryptocurrency received by CAS to their wallets. “Two-way ATMs started to forward coins to the attacker’s wallet when customers sent coins to ATM,” explains the security advisory.
The company said that it has carried out multiple security audits since its inception in 2020, but none of them identified the vulnerability. The attacks came three days after the company publicly announced the help Ukraine feature on ATMs, it added.
General Bytes claims that the threat actors have not gained access to the host operation system, host file system, database, or any passwords, password hashes, salts, private keys, or API keys.
The company has provided CAS security fix in two server patch releases, 20220531.38 and 20220725.22. It is urging customers running 20220531 to refrain from operating their Bitcoin ATMs until they install the above-mentioned patch releases on their servers.
The company has also provided a checklist of steps that need to be performed on the devices before using the services.
Additionally, it is recommended that you modify your server’s firewall settings so that the CAS admin interface can only be accessed from authorized IP addresses, such as from the ATM’s location or the customer’s office.
Currently, 18 General Bytes Crypto Application Servers are still exposed to the internet, which may be vulnerable to a zero-day exploit. The majority of these exposed servers are situated in Canada.
It’s unclear how many servers were breached by the zero-day vulnerability and how much cryptocurrency has been stolen until now.