The servers of Bitcoin ATM maker General Bytes were hacked via a one-day attack on Thursday, enabling hackers to make themselves the default administrators and tweak settings so that all funds are transferred to their wallet address.
The amount of money stolen and the number of hacked ATMs were not disclosed, but the company urgently advised ATM operators to update their software.
The hack was confirmed by General Bytes, which owns and operates 8,827 Bitcoin ATMs that can be accessed in more than 120 countries. The company is headquartered in Prague, where ATMs are also manufactured. ATM customers can buy or sell more than 40 coins.
The vulnerability has been around since the hacker’s tweaks updated the Crypto Application Server (CAS) software to version 20201208 on Thursday.
General Bytes urged customers to refrain from using General Bytes ATM servers until it updates its server to patch versions 20220725.22 and 20220531.38 for customers running on 20220531.
Customers were also advised to modify the server’s firewall settings so that the CAS management interface could only be accessed from authorized IP addresses, among other things.
Before reactivating the terminals, General Bytes also reminded customers to review the “SELL Crypto Setting” to ensure that hackers did not modify the settings so that instead any money received would be transferred to them (not the customers).
General Bytes reports that several security audits have been conducted since its inception in 2020, and none have identified this vulnerability.
How did the attack happen?
General Bytes’ security advisory team stated in the blog that the hackers carried out a zero-day exploit attack to gain access to the company’s CAS and extract the funds.
The CAS server manages the entire ATM process, which includes executing the purchase and sale of cryptocurrencies on exchanges and which currencies are supported.
Related: Poor: Kraken Reveals Many US Bitcoin ATMs Still Using Virtual Admin QR Codes
The company believes that the hackers “scanned for exposed servers running on TCP ports 7777 or 443, including servers hosted on General Bytes’ cloud service.”
From there, the hackers added themselves as the default administrator on the CAS, called Gb, and then proceeded to modify the Buy and Sell settings so that instead of any crypto received by the Bitcoin ATM, it was transmitted to the hacker’s wallet address:
“The attacker was able to create a remote administrative user via the CAS administrative interface by calling the URL on the page used for the default installation on the server and creating the first administration user.”