General Bytes Bitcoin ATMs Hacked Through Zero Day Bug

General Bytes Bitcoin ATMs Hacked Through Zero Day Bug

Bitcoin ATM manufacturer, General Bytes, their servers were compromised through a zero-day bug on August 18, allowing hackers to set themselves as default administrators and change settings. set to have all funds transferred to their wallet address. 

The amount of money stolen and the number of ATMs compromised was not disclosed, but the company urged ATM operators to update their software. 

The hack was confirmed by General Bytes on August 18, which owns and operates 8827 Bitcoin ATMs accessible in more than 120 countries. The company has its headquarters in Prague, Czech Republic,  where  ATMs are manufactured. ATM customers can buy or sell more than 40 coins. 

The vulnerability has been present since hacker modifications updated the CAS software to version 20201208 on August 18 and 20220531.38 for customers using 20220531. 

Customers have also been asked to change their servers' firewall settings so that the CAS administration interface can only be accessed from authorized IP addresses, among others. 

Before reactivating the terminals, General Bytes also reminds customers to review their "SELL Cryptocurrency Settings" to ensure that the hacker has not changed the settings so that all funds received will be passed on to them (but not to the customer). 

General Bytes says that several security tests have been conducted since its inception in 2020, none of which have identified the vulnerability. 

How did the attack happen?

General Bytes' security consulting team said on the blog that hackers performed a zero-day vulnerability attack to gain access to the company's Cryptocurrency Application Server (CAS) and extract funds. 

The CAS server handles all ATM operations, including the execution of cryptocurrency purchases and sales on supported exchanges and coins.  

From there, the hacker added himself as the default administrator on the CAS, named 'gb', and then proceeded to modify the 'buy' and 'sell' settings to replace any cryptocurrency. Any number received by the Bitcoin ATM will be forwarded to the hacker wallet address: 

"The attacker was able to create an admin user remotely via CAS administrative interface via a URL call on the page that is used for the default installation on the server and creating the first administration user."