Search This Blog

Powered by Blogger.

Blog Archive

Labels

Hackers Exploit Zero-Day Bug, Steal Crypto from Bitcoin ATMs

When customers would deposit or buy cryptocurrency via the ATM, the funds would be stolen by hackers.

 


General Bytes and the Vulnerability

Hackers have abused a zero-day vulnerability in General Bytes Bitcoin ATM servers to get cryptocurrency from customers. When customers would deposit or buy cryptocurrency via the ATM, the funds would be stolen by hackers. 

General Bytes manufactures the Bitcoin ATMs that, according to the product, let people buy or sell more than 40 different cryptocurrencies. 

Actors Exploit CAS Zero-day

Crypto Application Server (CAS) controls the Bitcoin ATMs, looks over the ATM's operations, and the cryptocurrency it supports, and completes the sales and purchases of cryptocurrency on exchange forums. 

The attacks were carried out using a zero-day vulnerability in the company's Crypto Application Server (CAS). The hacker created an admin user remotely via CAS administrative interface through a URL call on the tab, using it for default installation on the server and therefore creating the first administration user. The vulnerability exists in the CAS software since version 20201208

General Bytes believes that the threat actors searched the internet for exposed servers that run on TCP ports 443 or 7777, this includes servers hosted at Digital Ocean and General Bytes' own cloud service.

Hackers exploit bugs to transfer money

The hackers then used the bug to put a default admin user named 'GB' in the CAS and changed the 'buy' and 'sell' crypto settings and 'invalid payment addresses' to use a cryptocurrency wallet within the attacker's control. 

After the hackers have modified these settings, any cryptocurrency sent to CAS was forwarded to the attackers instead. Two-way ATMs' began sending money into hackers' wallets when the customers deposited coins in the ATM. 

What should the users do?

General Bytes has warned its customers not to use their Bitcoin ATMs until the company has implemented two server patch releases 20220531.38 and 20220725.22, on their servers. General Bytes also gave a steps checklist for the devices before they are put back to use. 

We should note that the hackers wouldn't have been able to launch these attacks if the servers had a firewall, this would allow connections from only trusted servers. Hence, we should always configure firewalls to only give access to trusted IP addresses for the Crypto Application Server, for instance, the customer's offices or the ATM's location.

According to General Bytes, the following things didn't happen-

1. The attacker didn't gain access to the host operating system.
2. The attacker didn't gain access to the host file system.
3. The attacker didn't gain access to the database.
4. The attacker didn't gain access to any passwords, password hashes, salts, private keys, or API keys.

Currently, 18 General Bytes CAS are still vulnerable to the internet, most of these are located in Canada. We aren't aware of how many servers were compromised using this vulnerability and how much cryptocurrency was stolen. As of now, no further updates have come from General Bytes', CySecurity will update its readers in case.

Share it:

Bitcoin

cryptocurrency

General Bytes

Vulnerabilities and Exploits