Threat actors are stealing funds from General Bytes Bitcoin ATM

Threat actors have exploited a zero-day vulnerability in the General Bytes Bitcoin ATM servers to steal BTC from multiple customers.

Threat actors have exploited a zero-day flaw in General Bytes Bitcoin ATM servers that allowed them to hijack transactions associated with deposits and withdrawal of funds.

GENERAL BYTES is the world’s largest Bitcoin, Blockchain, and Cryptocurrency ATM manufacturer.

The ATM machines manufactured by the company are remotely controlled by a Crypto Application Server (CAS), which manages the operation of the devices.

The company published a security advisory on August 18th admitting the existence of a zero-day flaw actively exploited by threat actors in the wild. The attackers exploited the issue to create an admin user account via the CAS admin panel

“The attacker was able to create an admin user remotely via CAS administrative interface via a URL call on the page that is used for the default installation on the server and creating the first administration user. This vulnerability has been present in CAS software since version 20201208. Read more information in the ‘What happened’ section.” reads the advisory.

The active exploitation of the issue was also confirmed by BleepingComputer which was contacted by a General Bytes customer who told them attackers were stealing bitcoin from their ATMs.

According to the advisory, the issue resides in the CAS admin interface. Threat actors scanned Digital Ocean cloud hosting IP address space for CAS services exposing ports 7777 or 443. Then attackers exploited the vulnerability to create a new default admin user, organization, and terminal. Threat actors accessed the CAS interface and renamed the default admin user to ‘gb,’ then modified the crypto settings of two-way machines with his wallet settings and the ‘invalid payment address’ setting.

These settings allowed the attackers to forward coins to the attacker’s wallet when customers sent coins to ATM.

According to the advisory, the attacks came three days after the company publicly announced the help Ukraine feature on ATMs.

General Bytes recommends customers install the two server patch releases 20220531.38 and 20220725.22.

The company also shared instructions for configuring server firewalls to control access to Crypto Application Server.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, General Bytes Bitcoin ATM)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.