Bitcoin and cryptocurrency ATM manufacturing company General Bytes has announced that their software has been hacked.

vulnerability on the Crypto Application Server to create administrator accounts. Hackers have begun forwarding the cryptocurrency that customers sent to the ATMs to their own wallets.

While cryptocurrencies are slowly becoming mainstream despite the controversies, the Bitcoin and cryptocurrency ATM manufacturer named General Bytes announced that their machines have been hacked. The attacks were successful, thanks to a vulnerability in the Crypto Application Server.

Creating administrator accounts

Crypto Application Server is a browser-based management interface for BATM (Bitcoin ATM) systems. The attackers have found a way to create an administration-level user with the CAS interface via a URL call on the page. This page is being used for default installation and creating the first admin-level user. By utilizing the zero-day vulnerability, the attackers have followed the steps below:

Attacker scanned Digital Ocean cloud hosting IP address space and identified running CAS services on ports 7777 or 443. Including General Bytes Cloud service and other GB ATM operators running their servers as Digital Ocean is a recommended cloud hosting provider.

Using this security vulnerability, the attacker created a new default admin user, organization, and terminal.

The attacker accessed the CAS interface and renamed the default admin user to ‘gb’

The attacker modified the crypto settings of two-way machines with his wallet settings and the ‘invalid payment address’ setting.

Two-way ATMs started to forward coins to the attacker’s wallet when customers sent coins to ATMs.

Karel Kyovsky, owner of General Bytes stated that they have conducted multiple security audits since 2020; however, none of them have managed to identify this vulnerability. He also stated that the attacks began 3 days after they announced the “Help Ukraine” feature on ATMs.

Currently, there is no information regarding the amount of cryptocurrency that has been stolen. The company urges its customers to update their CAS software immediately in addition to making 7777 and 443 TCP ports inaccessible for unknown IP addresses by reconfiguring firewall settings.