Hackers managed to exploit the servers of Bitcoin ATM manufacturer General Bytes on Aug. 18 to intercept transactions via withdrawals and deposits by modifying settings and making themselves the default admins.
The company confirmed the attack on the same day through a security release. It is understood that the Crypto Application Server (CAS), which is used to operate the ATM devices remotely and also marketed as a separate software product by the company, was compromised via a zero-day vulnerability.
“The attacker was able to create an admin user remotely via CAS administrative interface via a URL call on the page that is used for the default installation on the server and creating the first administration user. This vulnerability has been present in CAS software since version 20201208,” reads the update page.
The company believes attackers scanned through Digital Ocean cloud hosting IP address space for CAS services on ports 7777 or 443, and using this security vulnerability in the CAS admin interface, they created a new admin user and terminal.
General Bytes also confirmed that the host operating system, host file system, user database, passwords, private keys, and API were not compromised.
The extent of the damage is unknown as the amount of funds stolen or the number of ATMs affected wasn’t disclosed, but the firm has advised its ATM operators to update the software immediately. It has also asked the customers to stop using their ATMs until the patch releases are installed.
“Make sure you run the Crypto Settings tests to verify that your crypto addresses and strategies are correct. The attacker might have changed your SELL Crypto Settings to receive coins from customers into his wallet,” cautioned General Bytes.
The Prague-based company owns and operates close to 9000 ATMs. General Bytes manufactures these ATMs in the Czech Republic and sells them globally in over 120 countries.