The corporation has quickly recommended ATM operators to upgrade their software. The quantity of money taken and the number of affected ATMs have not been made public.
General Bytes, a company that makes bitcoin ATMs, had its computers hijacked by a zero-day assault on Thursday, allowing hackers to take over as the default administrators and change settings to direct all payments to their wallet address.
General Bytes, which owns and manages 8,827 Bitcoin ATMs that are available in more than 120 countries, acknowledged the theft. Prague serves as both the company’s headquarters and the location of the ATM factory. Customers of ATMs can buy or sell more than 40 coins.
Customers running on 20220531 have been instructed by General Bytes to delay utilising its General Bytes ATM servers until the company updates its server to patch releases 20220725.22 and 20220531.38, respectively.
Since the hacker’s alterations, the company’s Crypto Application Server (CAS) software was updated on Thursday to version 20201208, exposing the vulnerability.
Customers have also been instructed to change their server firewall configurations so that, among other things, the CAS admin interface can only be accessed from permitted IP addresses.
General Bytes also advised users to check their “SELL Crypto Setting” before reactivating the terminals to make sure that the hackers hadn’t changed the settings so that any received monies would be transmitted to them instead (and not the customers).
Since its founding in 2020, General Bytes claimed that multiple security assessments have been carried out, but none of them have discovered this issue.
According to the blog post by General Bytes’ security advisory team, the hackers used a zero-day vulnerability to attack the company’s CAS and steal the money. The CAS server controls every aspect of the ATM’s operation, including how cryptocurrency is bought and sold on exchanges and which coins are accepted.
A server hosted on General Bytes’ own cloud service was among those that the business believes the hackers “scanned for vulnerable servers running on TCP ports 7777 or 443, including servers.” The hackers then changed the “buy” and “sell” settings on the CAS, adding themselves as a default admin with the username “Gb,” so that any cryptocurrency the Bitcoin ATM received would instead be transferred to the hacker’s wallet address:
“The attacker was able to create an admin user remotely via CAS administrative interface via a URL call on the page that is used for the default installation on the server and creating the first administration user.”