Hackers Steal Bitcoin From Bitcoin ATM Organization Through a Zero-Day Bug

Hackers have exploited a zero-day bug vulnerability of a Bitcoin ATM manufacturer which allows them to steal cryptocurrencies from customers.

According to Bleeping Computer, Hackers compromised General Bytes ATM servers to redirect crypto assets to their own wallets.

General Bytes manufactures bitcoin ATMs which allow customers to buy or sell over 40 different cryptocurrencies. The hackers would be able to redirect cryptocurrencies to their wallets when deposits or purchases are made through the ATM.

A General Byte security advisory publication revealed that the attacks were conducted using a zero-day vulnerability in the company’s Crypto Application Server (CAS).

Crypto Application Server (CAS) remotely controls the bitcoin ATMs. CAS manages the ATMs’ operations, supported cryptocurrencies, and executes the buying and selling of cryptocurrency on exchanges.

“The attacker was able to create an admin user remotely via CAS administrative interface via a URL call on the page that is used for the default installation on the server and creating the first administration user. This vulnerability has been present in CAS software since version 20201208,” the publication stated.

Furthermore, General Bytes believes that the threat actors scanned the internet for exposed servers. The hackers scanned servers running on TCP ports 7777 and 443, including General Bytes’ cloud service and Digital Ocean.

The hackers exploited the bug and added a default user admin to the CAS. Additionally, the hackers modified the “buy” and “sell” crypto settings and ‘invalid payment address’ and used their own wallet address. After the hackers modified these settings, any cryptocurrency would be deposited into their wallet.

The publication explained, “Two-way ATMs started to forward coins to the attackers’ wallet when customers sent coins to ATM.”

Due to the circumstances, General Bytes have warned users not to operate their ATMs. They warn until they have applied two patch server releases, 20220531.38 and 20220725.22 on their server. They provided a checklist of steps to perform before devices are put back into service.

However, there are currently additional eighteen General Bytes Crypto Applications Servers exposed to the internet. Most General Bytes servers still exposed are located in Canada.

In conclusion, the amount of cryptocurrencies stolen from the ATMs and servers breached was not disclosed.