Threat actors steal funds from General Bytes Bitcoin ATMSecurity Affairs

Threat actors exploited a zero-day vulnerability in General Bytes Bitcoin ATM servers to steal BTC from multiple clients.

Threat actors exploited a zero-day flaw in General Bytes Bitcoin ATM servers that allowed them to hijack transactions associated with depositing and withdrawing funds.

GENERAL BYTES is the world’s largest manufacturer of Bitcoin, Blockchain and Cryptocurrency ATMs.

ATMs manufactured by the company are remotely controlled by a Crypto Application Server (CAS), which manages the operation of the devices.

The company issued a security advisory on August 18 admitting the existence of a zero-day flaw actively exploited by threat actors in the wild. Attackers exploited the issue to create an administrator user account through the CAS admin panel

“The attacker was able to create an administrator user remotely through the CAS administration interface via a URL call to the page used for the default installation on the server and create the first administration user. This vulnerability has been present in CAS software since version 20201208. Read more information in the “What happened” section reads the advisory.

Active exploitation of the issue was also confirmed by BleepingComputer who was contacted by a General Bytes customer who told them that attackers were stealing bitcoins from their ATMs.

According to the advisory, the problem lies in the CAS administration interface. Threat actors scanned Digital Ocean’s cloud hosting IP address space for CAS services exposing ports 7777 or 443. Then attackers exploited the vulnerability to create a new admin user, organization and a default terminal. The threat actors accessed the CAS interface and renamed the default admin user to “gb”, then changed the two-way machine encryption settings with his wallet settings and the “invalid payment address” setting “.

These settings allowed attackers to transfer coins to the attacker’s wallet when customers sent coins to an ATM.

According to the notice, the attacks came three days after the company publicly announced the Help Ukraine feature on ATMs.

General Bytes recommends that customers install both server patch versions 20220531.38 and 20220725.22.

The company also shared instructions for configuring server firewalls to control access to Crypto Application Server.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(Security cases hack, General Bytes Bitcoin ATM)

Comments are closed.