MUST READ

DraftKings thwarts credential stuffing attack, but urges password reset and MFA

 | 

Redis patches 13-Year-Old Lua flaw enabling Remote Code Execution

 | 

U.S. CISA adds Synacor Zimbra Collaboration Suite (ZCS) flaw to its Known Exploited Vulnerabilities catalog

 | 

GoAnywhere MFT zero-day used by Storm-1175 in Medusa ransomware campaigns

 | 

CrowdStrike ties Oracle EBS RCE (CVE-2025-61882) to Cl0p attacks began Aug 9, 2025

 | 

Discord discloses third-party breach affecting customer support data

 | 

Oracle patches critical E-Business Suite flaw exploited by Cl0p hackers

 | 

LinkedIn sues ProAPIs for $15K/Month LinkedIn data scraping scheme

 | 

Zimbra users targeted in zero-day exploit using iCalendar attachments

 | 

Reading the ENISA Threat Landscape 2025 report

 | 

Ghost in the Cloud: Weaponizing AWS X-Ray for Command & Control

 | 

SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 65

 | 

Security Affairs newsletter Round 544 by Pierluigi Paganini – INTERNATIONAL EDITION

 | 

GreyNoise detects 500% surge in scans targeting Palo Alto Networks portals

 | 

U.S. CISA adds Smartbedded Meteobridge, Samsung, Juniper ScreenOS, Jenkins, and GNU Bash flaws to its Known Exploited Vulnerabilities catalog

 | 

ShinyHunters Launches Data Leak Site: Trinity of Chaos Announces New Ransomware Victims

 | 

ProSpy, ToSpy malware pose as Signal and ToTok to steal data in UAE

 | 

Google warns of Cl0p extortion campaign against Oracle E-Business users

 | 

CERT-UA warns UAC-0245 targets Ukraine with CABINETRAT backdoor

 | 

Allianz Life data breach impacted 1.5 Million people

 | 

Threat actors are stealing funds from General Bytes Bitcoin ATM

Pierluigi Paganini August 21, 2022

Threat actors have exploited a zero-day vulnerability in the General Bytes Bitcoin ATM servers to steal BTC from multiple customers.

Threat actors have exploited a zero-day flaw in General Bytes Bitcoin ATM servers that allowed them to hijack transactions associated with deposits and withdrawal of funds.

GENERAL BYTES is the world’s largest Bitcoin, Blockchain, and Cryptocurrency ATM manufacturer.

The ATM machines manufactured by the company are remotely controlled by a Crypto Application Server (CAS), which manages the operation of the devices.

The company published a security advisory on August 18th admitting the existence of a zero-day flaw actively exploited by threat actors in the wild. The attackers exploited the issue to create an admin user account via the CAS admin panel

General Bytes Bitcoin ATM zero-day

“The attacker was able to create an admin user remotely via CAS administrative interface via a URL call on the page that is used for the default installation on the server and creating the first administration user. This vulnerability has been present in CAS software since version 20201208. Read more information in the ‘What happened’ section.” reads the advisory.

The active exploitation of the issue was also confirmed by BleepingComputer which was contacted by a General Bytes customer who told them attackers were stealing bitcoin from their ATMs.

According to the advisory, the issue resides in the CAS admin interface. Threat actors scanned Digital Ocean cloud hosting IP address space for CAS services exposing ports 7777 or 443. Then attackers exploited the vulnerability to create a new default admin user, organization, and terminal. Threat actors accessed the CAS interface and renamed the default admin user to ‘gb,’ then modified the crypto settings of two-way machines with his wallet settings and the ‘invalid payment address’ setting.

These settings allowed the attackers to forward coins to the attacker’s wallet when customers sent coins to ATM.

According to the advisory, the attacks came three days after the company publicly announced the help Ukraine feature on ATMs.

General Bytes recommends customers install the two server patch releases 20220531.38 and 20220725.22.

The company also shared instructions for configuring server firewalls to control access to Crypto Application Server.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, General Bytes Bitcoin ATM)

[adrotate banner=”5″]

[adrotate banner=”13″]

ATM General Bytes Bitcoin Hacking hacking news information security news IT Information Security Pierluigi Paganini Security Affairs Security News zero-Day

you might also like

Pierluigi Paganini October 08, 2025
DraftKings thwarts credential stuffing attack, but urges password reset and MFA
Read more
Pierluigi Paganini October 08, 2025
Redis patches 13-Year-Old Lua flaw enabling Remote Code Execution
Read more

leave a comment

newsletter

Subscribe to my email list and stay
up-to-date!

recent articles

DraftKings thwarts credential stuffing attack, but urges password reset and MFA

Security / October 08, 2025

Redis patches 13-Year-Old Lua flaw enabling Remote Code Execution

Security / October 08, 2025

U.S. CISA adds Synacor Zimbra Collaboration Suite (ZCS) flaw to its Known Exploited Vulnerabilities catalog

Hacking / October 07, 2025

GoAnywhere MFT zero-day used by Storm-1175 in Medusa ransomware campaigns

Hacking / October 07, 2025

CrowdStrike ties Oracle EBS RCE (CVE-2025-61882) to Cl0p attacks began Aug 9, 2025

Cyber Crime / October 07, 2025