Bitcoin ATMs crippled by attackers creating fake admin accounts – Naked Security
You wouldn’t know it from visiting the company’s main website, but General Bytes, a Czech company that sells Bitcoin ATMs, encourages users to patching a critical bug that costs money in the server software.
The company claims worldwide sales of more than 13,000 ATMs, which sell for $5,000 and up, depending on features and appearance.
Not all countries have welcomed cryptocurrency ATMs – for example, the UK regulator warned in March 2022 that none of the ATMs operating in the country at the time were officially registered, saying that there would be “contact the operators and instruct that the machines are to be closed”.
We went to check our local crypto ATM at the time and found it showing a “Terminal offline” message. (The device has since been removed from the mall where it was installed.)
Still, General Bytes says it serves customers in more than 140 countries, and its global map of ATM locations shows a presence on every continent except Antarctica.
Security incident reported
According to General Byte’s product knowledge base, a “security incident” at a severity level of Highest was discovered last week.
In the company’s own words:
The attacker was able to create an admin user remotely via the CAS administrative interface via a URL call on the page used for the default installation on the server and create the first administrative user.
As far as we can tell, CAS is short for Coin ATM Serverand every General Byte cryptocurrency ATM operator needs one of these.
You can host your CAS anywhere you want, it seems, including on your own hardware in your own server room, but General Bytes has a special deal with hosting company Digital Ocean for an affordable cloud solution. (You can also let General Bytes run the server for you in the cloud for a 0.5% cut of all cash transactions.)
According to the incident report, the attackers performed a port scan of Digital Ocean’s cloud services, looking for listening web services (ports 7777 or 443) that identified them as General Byte’s CAS servers, to find a list of potential victims.
Note that the vulnerability exploited here was not down to Digital Ocean or limited to cloud-based CAS instances. We’re guessing the attackers simply decided Digital Ocean was a good place to start looking. Remember that with a very high-speed Internet connection (eg 10Gbit/sec), and using freely available software, determined attackers can now scan the entire IPv4 address space in hours, or even minutes. That’s how public vulnerability scanners like Shodan and Censys work, constantly trawling the internet to find out which servers and which versions are currently active on which websites.
Apparently, a vulnerability in CAS itself allowed the attackers to manipulate the settings of the victim’s cryptocurrency services, including:
- Adding a new user with administrative rights.
- Using this new administrator account to reconfigure existing ATMs.
- Redirect all invalid payments to a separate wallet.
As far as we can tell, this means that the attacks carried out were limited to transfers or withdrawals where the customer made a mistake.
In such cases, it appears that instead of the ATM operator collecting the misdirected funds so that they can later be refunded or properly redirected…
…the funds would go directly and irreversibly to the attackers.
General Bytes didn’t say how this bug came to its attention, although we imagine any ATM operator faced with a support call about a failed transaction would quickly notice that their service settings had been tampered with and sound the alarm.
Indicators of compromise
The attackers, it seemed, left various signs of their activity, allowing General Bytes to identify a number of so-called Indicators of compromise (IoCs) to help their users identify hacked CAS configurations.
(Note, of course, that the absence of IoCs does not guarantee the absence of any attackers, but known IoCs are a convenient place to start when it comes to threat detection and response.)
Fortunately, perhaps due to the fact that this exploit relied on invalid payments, rather than allowing the attackers to drain ATMs directly, the total financial losses in this incident do not reach the millions often associated with cryptocurrency blunders.
General Bytes claimed yesterday [2022-08-22] that “[i]The incident was reported to the Czech police. Total damage to ATM operators based on their feedback is USD 16,000.”
The company also automatically disabled all ATMs it managed on behalf of its customers, requiring those customers to log in and review their own settings before reactivating their ATM devices.
What to do?
General Bytes has listed an 11-step process for customers to follow to correct this issue, including:
- Patches The CAS server.
- Review firewall settings to limit access to as few network users as possible.
- Deactivation of ATM terminals so that the server can be brought back up for review.
- Reviews all settingsincluding any dummy terminals that may have been added.
- Reactivation of terminals only after completing all threat hunting steps.
Incidentally, this attack is a stark reminder of why modern threat response is not just about patching holes and removing malware.
In this case, criminals did not implant any malware: the attack was orchestrated simply through malicious configuration changes, with the underlying operating system and server software untouched.
Not enough time or staff?
Learn more about Sophos Managed Detection and Response:
24/7 threat hunting, detection and response ▶
Featured image of imagined Bitcoins via Unsplash license.
