Cybercriminals abused a zero-day vulnerability in a General Bytes Bitcoin ATM servers to steal cryptocurrency. This one-of-a-kind crypto hack allowed hackers to direct the cryptocurrency funds to their accounts whenever a user made a deposit through a compromised ATM.
 
While there has been a tremendous rise in crypto exchange hacks, this new crypto hack incident represents new trouble for cryptocurrency users.
 

Abusing zero-day vulnerability

A General Bytes customer recently informed news media that hackers were stealing bitcoin from their ATMs. Investigation revealed that hackers abused a zero-day vulnerability in the Crypto Application Server (CAS).
  • The exploited flaw existed in CAS software since version 20201208.
  • The attackers scanned the internet for exposed servers (running on TCP ports 7777 and 443) hosted at Digital Ocean and General Bytes' cloud service.
 

How the crypto hack was executed?

The cryptocurrency hack was executed by adding a default admin user name 'gb' to the CAS.
  • They created an admin user remotely using the CAS admin interface via a URL call on the page used for the default installation on the server.
  • Then they modified the buy/sell settings and invalid payment address to use a crypto wallet of attackers.
  • Once settings were modified, any cryptocurrency deposited by the user using CAS was sent to hackers instead.
 

More insights

General Bytes is the manufacturer of Bitcoin ATMs that allow the purchase or sale of over 40 different cryptocurrencies. The Bitcoin ATMs are managed by a remote Crypto Application Server (CAS).
  • There are eighteen General Bytes Crypto Application Servers (mostly in Canada) still exposed to the Internet.
  • It's not known how many servers were attacked using the flaw and how much cryptocurrency was stolen.
 

Recommendations

General Bytes has warned its customers to stop using Bitcoin ATMs until they applied patch releases, 20220531.38 and 20220725.22. It has provided steps to perform on the devices before using the service. Also, it is suggested to configure the firewall on the servers to allow connections only from trusted IP addresses.
Cyware Publisher

Publisher

Cyware