The servers of Bitcoin (CRYPTO: BTC) ATM manufacturer General Bytes were compromised by a zero-day exploit, allowing hackers to take over as default administrators and modify settings to send money to their wallet addresses.
Although the total amount of funds stolen and the number of compromised ATMs have not been made public, the company has advised ATM operators to change their software as a precaution.
Customers of ATMs can trade in more than 40 coins as General Bytes is located in Prague, Czech Republic, where the ATMs are made.
General Bytes, which owns and manages 8,827 Bitcoin ATMs that are available in more than 120 countries, acknowledged the theft and said there has been a vulnerability since last Thursday, ever since the hacker’s modifications updated the CAS software to version 20201208.
Customers have been asked by General Bytes to refrain from using their ATM servers until they update their server to patch releases 20220725.22, and 20220531.38 for customers running on 20220531.
Also Read: Crypto Analyst Who Predicted Bitcoin Collapse Now Says 'New Lows Are Just A Matter Of Time'
Customers advised precautionary measures
Customers have also been asked to change their server firewall configurations so that, among other things, the CAS admin interface may only be accessed from permitted IP addresses.
The company has also advised users to check their "SELL Crypto Setting" before reactivating the terminals to make sure that the hackers have not changed the settings so that any received funds are not transmitted to the hackers instead.
Since its founding in 2020, General Bytes claimed that multiple security audits have been carried out, but none of them discovered this issue.
It added that the attack came three days after the company publicly announced the 'Help Ukraine' feature on ATMs.
How did the attack happen
According to a blog post by the company, the hackers used a zero-day vulnerability to target the company's Crypto Application Server (CAS) and steal funds.
The CAS server controls every aspect of the ATM's functioning, including how cryptocurrency is bought and sold on exchanges and which currencies are accepted.
A recommended cloud hosting provider is Digital Ocean, which runs the General Bytes Cloud service and other GB ATM operators' servers.
The attacker identified running CAS services on ports 7777 or 443 after scanning the IP address space for Digital Ocean cloud hosting. They then generated a new default admin user, organization, and terminal using this security flaw.
Access was then gained to the CAS interface and the admin user's default name was changed to "gb."
With the use of his wallet settings and the "invalid payment address" option, the attacker changed the crypto settings on two-way devices.
When clients placed coin orders at two-way ATMs, coins were sent to the attacker's wallet.
“The attacker was able to create an admin user remotely via CAS administrative interface via a URL call on the page that is used for the default installation on the server and creating the first administration user,” the security advisory team stated.
Photo: Courtesy of ajay_suresh on flickr
