Threat actors have exploited a zero-day flaw in General Bytes Bitcoin ATM servers that allowed them to hijack transactions associated with deposits and withdrawal of funds.
GENERAL BYTES is the world’s largest Bitcoin, Blockchain, and Cryptocurrency ATM manufacturer.
The ATM machines manufactured by the company are remotely controlled by a Crypto Application Server (CAS), which manages the operation of the devices.
The company published a security advisory on August 18th admitting the existence of a zero-day flaw actively exploited by threat actors in the wild. The attackers exploited the issue to create an admin user account via the CAS admin panel
“The attacker was able to create an admin user remotely via CAS administrative interface via a URL call on the page that is used for the default installation on the server and creating the first administration user. This vulnerability has been present in CAS software since version 20201208. Read more information in the ‘What happened’ section.” reads the advisory.
The active exploitation of the issue was also confirmed by BleepingComputer which was contacted by a General Bytes customer who told them attackers were stealing bitcoin from their ATMs.
According to the advisory, the issue resides in the CAS admin interface. Threat actors scanned Digital Ocean cloud hosting IP address space for CAS services exposing ports 7777 or 443. Then attackers exploited the vulnerability to create a new default admin user, organization, and terminal. Threat actors accessed the CAS interface and renamed the default admin user to ‘gb,’ then modified the crypto settings of two-way machines with his wallet settings and the ‘invalid payment address’ setting.
These settings allowed the attackers to forward coins to the attacker’s wallet when customers sent coins to ATM.
According to the advisory, the attacks came three days after the company publicly announced the help Ukraine feature on ATMs.
General Bytes recommends customers install the two server patch releases 20220531.38 and 20220725.22.
The company also shared instructions for configuring server firewalls to control access to Crypto Application Server.
(SecurityAffairs – hacking, General Bytes Bitcoin ATM)