Hackers exploit Zero-day bug to steal from General Bytes Bitcoin ATMs

The General Bytes ATMs

General Bytes, a manufacturer of Bitcoin ATMs, has admitted that it has become a target of a hack that stole money from users by exploiting a vulnerability in the company’s software.

General Bytes Atm

An alert issued by General Bytes last week explained how an attacker might remotely create an admin user and exploit the CAS administrative interface by making a URL request to the page responsible for the server’s default installation. According to the information, this flaw has been present in CAS software since version 2020-12-08. It is yet unknown how many servers have been compromised by exploiting this vulnerability, or how much bitcoin has been stolen.

Businesses may use General Bytes’ CAS (Crypto Application Server), a self-hosted product accessible through any computer or mobile device with an internet browser, to operate their Bitcoin ATM (BATM) machines centrally.

Two server patch updates, 20220531.38 and 20220725.22., have been released to address the zero-day vulnerability in the CAS administrative interface after its discovery.

According to General Bytes, an unknown threat actor has scanned the IP addresses used by the DigitalOcean cloud hosting service in order to locate servers running the CAS service on ports 7777 or 443, then the attacker has used the vulnerability to create a new default admin account called “gb” on the CAS.

The published report reveals how the attacker has altered the two-way machines’ crypto settings using his wallet’s settings and the “invalid payment address” option, so when clients sent money to the ATM, the compromised two-way ATMs began forwarding coins to the attacker’s wallet.

In sum, the attacker’s intention was to change the settings so that any transferred coins would go straight to a wallet address they controlled.

In relation to the recent revelations, General Bytes has stressed that it has completed several security audits since 2020 and that this flaw was never found. An interesting fact to note, however, is that this recent attack on its ATMs occurred three days after the company officially launched a “Help Ukraine” function on its ATMs.


About the author

Lidia Howler

Lidia is a web content creator with years of experience in the cyber-security sector. She helps readers with articles on malware removal and online security. Her strive for simplicity and well-researched information provides users with easy-to-follow It-related tips and step-by-step tutorials.

Leave a Comment