Cybercriminals abused a zero-day flaw in General Bytes Bitcoin ATM servers to steal cryptocurrency. The hack allowed hackers to receive the cryptocurrency funds to their accounts whenever a user makes a deposit through a compromised ATM.

Abusing zero-day

A General Bytes customer recently informed news media that hackers were stealing bitcoin from their ATMs. Investigation revealed that hackers abused a zero-day flaw in the Crypto Application Server (CAS).
  • The exploited flaw existed in CAS software since version 20201208.
  • The attackers scanned the internet for exposed servers (running on TCP ports 7777 and 443) hosted at Digital Ocean and General Bytes' cloud service.

How the attack works?

The attackers abused the flaw to add a default admin user named 'gb' to the CAS.
  • They created an admin user remotely using the CAS admin interface via a URL call on the page used for the default installation on the server.
  • Then they modified the buy/sell settings and invalid payment address to use a crypto wallet of attackers.
  • Once settings are modified, any cryptocurrency deposited by the user using CAS was sent to hackers instead.

More insights

General Bytes is the manufacturer of Bitcoin ATMs that allow the purchase or sale of over 40 different cryptocurrencies. The Bitcoin ATMs are managed by a remote Crypto Application Server (CAS).
  • There are eighteen General Bytes Crypto Application Servers (mostly in Canada) still exposed to the Internet.
  • It's not known how many servers were attacked using the flaw and how much cryptocurrency was stolen.

Recommendations

General Bytes has warned its customers to stop using Bitcoin ATMs until they applied patch releases, 20220531.38 and 20220725.22. It has provided steps to perform on the devices before using the service. Also, it is suggested to configure the firewall on the servers to allow connections only from trusted IP addresses.
Cyware Publisher

Publisher

Cyware