General Bytes and the Vulnerability
Hackers have abused a zero-day vulnerability in General Bytes Bitcoin ATM servers to get cryptocurrency from customers. When customers would deposit or buy cryptocurrency via the ATM, the funds would be stolen by hackers.
General Bytes manufactures the Bitcoin ATMs that, according to the product, let people buy or sell more than 40 different cryptocurrencies.
Actors Exploit CAS Zero-day
Crypto Application Server (CAS) controls the Bitcoin ATMs, looks over the ATM's operations, and the cryptocurrency it supports, and completes the sales and purchases of cryptocurrency on exchange forums.
The attacks were carried out using a zero-day vulnerability in the company's Crypto Application Server (CAS). The hacker created an admin user remotely via CAS administrative interface through a URL call on the tab, using it for default installation on the server and therefore creating the first administration user. The vulnerability exists in the CAS software since version 20201208.
Hackers exploit bugs to transfer money
The hackers then used the bug to put a default admin user named 'GB' in the CAS and changed the 'buy' and 'sell' crypto settings and 'invalid payment addresses' to use a cryptocurrency wallet within the attacker's control.
After the hackers have modified these settings, any cryptocurrency sent to CAS was forwarded to the attackers instead. Two-way ATMs' began sending money into hackers' wallets when the customers deposited coins in the ATM.
What should the users do?
General Bytes has warned its customers not to use their Bitcoin ATMs until the company has implemented two server patch releases 20220531.38 and 20220725.22, on their servers. General Bytes also gave a steps checklist for the devices before they are put back to use.