On August 18, Bitcoin ATM manufacturer General Bytes fell victim to a zero-day attack from older versions of the software in order to obtain cryptocurrencies from its users. This vulnerability exists in CAS software since version 2020-12-08.
It is not yet clear how many servers were breached and how much cryptocurrency was stolen using this vulnerability. Zero day related to a bug in the CAS admin interface has been fixed in two different version patches, 20220531.38 and 20220725.22. The amount of money stolen and the number of ATMs seized were not disclosed, but the company urged ATM operators to update their software immediately.
Before reactivating the terminals, General Bytes reminded customers to review the “SELL Crypto Setting” to make sure the attacker did not change the settings so that the funds received would be transferred to them (not the customers).
General Bytes stated that it has carried out “multiple security audits” since 2020, and this shortcoming was never detected.
How the Attack Was Performed?
The attacker was able to remotely create an administrator account via a URL call on the page used for the default setup on the server.
The attackers added themselves as a default administrator in the CAS and then adjusted the “buy” and “sell” settings so that any cryptocurrency received by the Bitcoin ATM would be transferred to the attackers’ wallet address.
General Bytes believes the attacker is scanning for open servers running on TCP ports 7777 or 443, including servers hosted in its own cloud service.
