Hackers exploit zero day bug to steal from General Byte’s Bitcoin ATMs

by · August 21, 2022

Bitcoin ATM maker General Bytes had its servers compromised via a zero-day attack on August 18, which allowed the hackers to make themselves default administrators and change the settings so that all funds were transferred to their wallet address.

The amount of stolen funds and the number of ATMs compromised have not been disclosed, but the company has immediately advised ATM operators to update their software.

The hack was confirmed by General Bytes on August 18, which owns and operates 8,827 Bitcoin ATMs available in over 120 countries. The company is headquartered in Prague, Czech Republic, which is also where the ATMs are manufactured. ATM customers can buy or sell over 40 coins.

The vulnerability has been present since the hacker’s mods updated the CAS software to version 20201208 on August 18.

General Bytes has urged customers to refrain from using their General Bytes ATM servers until they update their server to patch release 20220725.22 and 20220531.38 for customers running 20220531.

Customers have also been asked to change their server firewall settings so that the CAS admin interface can only be accessed from, among other things, authorized IP addresses.

Before reactivating the terminals, General Bytes also reminded customers to review their ‘SELL Crypto setting’ to ensure that the hackers did not change the settings so that any funds received would instead be transferred to them (and not the customers).

General Bytes stated that several security audits had been conducted since its inception in 2020, none of which identified this vulnerability.

How the attack happened

General Bytes’ security advisory team stated in the blog that the hackers conducted a zero-day vulnerability attack to gain access to the company’s Crypto Application Server (CAS) and extract the funds.

The CAS server controls the entire operation of the ATM, which includes the execution of buying and selling of crypto on exchanges and which coins are supported.

Related: Vulnerable: Kraken reveals many US Bitcoin ATMs still use standard admin QR codes

The company believes the hackers “scanned for vulnerable servers running on TCP ports 7777 or 443, including servers hosted on General Byte’s own cloud service.”

From there, the hackers added themselves as a default administrator on CAS, named ‘gb’, and then proceeded to change the ‘buy’ and ‘sell’ settings so that any crypto received by the Bitcoin ATM would instead be transferred to the hacker’s wallet address:

“The attacker was able to create an admin user remotely via the CAS administrative interface via a URL call on the page used for the default installation on the server and create the first administrative user.”