Recently, the Czech Republic-based Bitcoin ATM manufacturer General Bytes announced that their servers had been breached and the hack meant that all of the crypto funds flowing into the Bitcoin ATM could be directed to hackers’ wallets instead.
This news came as a shock to the cryptocurrency community, as General Bytes is one of the leading manufacturers of Bitcoin ATMs. The company has over 8,000 machines installed in 120 countries around the world. Their flagship Crypto Application Server (CAS) at General Bytes powers their ATMs, allows them to offer a number of different features including purchases and sales of cryptocurrency.
How Did The Hack Occur?
The attackers used a zero-day vulnerability in the company’s Crypto Application Server (CAS) for the exploit. The attackers were able to remotely create an admin user using URL manipulation on the CAS administrative interface page. The page is used to log into the server and perform the initial setup, as well as create administration users.
According to General Bytes, the hackers searched the internet for vulnerable servers running on TCP ports 7777 or 443, which included servers hosted by Digital Ocean and General Bytes’ own cloud service.
The attackers then took advantage of the bug to add a default admin user called ‘Gb’ to CAS. They also modified the settings for ‘buy’ and ‘sell’ crypto, as well as setting ‘invalid payment address'” so that it would use a cryptocurrency wallet under the hacker’s control.
By modifying these settings, the threat actors were able to reroute any cryptocurrency received by CAS directly to themselves through two-way ATMs. They also claimed that since its inception in 2020, the platform has been subjected to numerous security audits, none of which found this particular flaw.
Steps taken by General Bytes
In response to the spate of recent hacks where criminals have stolen thousands of dollars worth of cryptocurrency, General Bytes has urged their clients not to use their Bitcoin ATMs until they have applied two server patch releases, 20220531.38 and 20220725.22, on their servers.
It is not known when the patches will be released, but the company said that it would provide an update as soon as they are available. They also included a checklist of steps that need to be completed on the device before putting back into service.
General Bytes also warned customers to check their “SELL Crypto Setting” after reactivating the terminals to ensure that the intruders did not tamper with that particular setting. It’s critical to note that the hackers could not have carried out these assaults if the servers had only allowed connections from trusted IP addresses. Therefore, it is vital to configure firewalls only to Permit access to the Crypto Application Server from an IP address that can be trusted.