Hackers exploit zero day bug to steal from General Bytes Bitcoin ATMs

Published at: Aug. 22, 2022

Bitcoin ATM manufacturer General Bytes had its servers compromised via a zero-day attack on Aug. 18, which enabled the hackers to make themselves the default admins and modify settings so that all funds would be transferred to their wallet address.

The amount of funds stolen and number of ATMs compromised has not been disclosed but the company has urgently advised ATM operators to update their software.

The hack was confirmed by General Bytes on Aug. 18, which owns and operates 8827 Bitcoin ATMs that are accessible in over 120 countries. The company is headquartered in Prague, Czech Republic, which is also where the ATMs are manufactured. ATM customers can buy or sell over 40 coins.

The vulnerability has been present since the hacker’s modifications updated the CAS software to version 20201208 on Aug. 18.

General Bytes has urged customers to refrain from using their General Bytes ATM servers until they update their server to patch release 20220725.22, and 20220531.38 for customers running on 20220531.

Customers have also been advised to modify their server firewall settings so that the CAS admin interface can only be accessed from authorized IP addresses, among other things.

Before reactivating the terminals, General Bytes also reminded customers to review their ‘SELL Crypto Setting’ to ensure that the hackers didn’t modify the settings such that any received funds would instead be transferred to them (and not the customers).

General Bytes stated that several security audits had been conducted since its inception in 2020, none of which identified this vulnerability.

How the attack happened

General Bytes’ security advisory team stated in the blog that the hackers conducted a zero-day vulnerability attack to gain access to the company’s Crypto Application Server (CAS) and extract the funds.

The CAS server manages the ATM’s entire operation, which includes the execution of buying and selling of crypto on exchanges and which coins are supported.

Related: Vulnerable: Kraken reveals many US Bitcoin ATMs still use default admin QR codes

The company believes the hackers “scanned for exposed servers running on TCP ports 7777 or 443, including servers hosted on General Bytes’ own cloud service.”

From there, the hackers added themselves as a default admin on the CAS, named ‘gb’, and then proceeded to modify the ‘buy’ and ‘sell’ settings such that any crypto received by the Bitcoin ATM would instead be transferred to the hacker’s wallet address:

"The attacker was able to create an admin user remotely via CAS administrative interface via a URL call on the page that is used for the default installation on the server and creating the first administration user."
Tags
Atm
Related Posts
A dozen Bitcoin ATMs installed at the largest EU electronics retailer
Austrians have “sufficient funds” for more Bitcoin ATMs — that’s the verdict that MediaMarkt, a German electronics retailer, reached following a successful Bitcoin ATM pilot in Austria. MediaMarkt has rolled out Bitcoin (BTC) ATMs in 12 branches across the country, including Seiersberg and Klagenfurt. Confinity and its spinoff ATM company, Kurant, manage over 200 Bitcoin ATMs in Austria, Germany, Spain and Greece. Kurant's Head of Marketing & Sales, Europe, Thomas Sperneder told Cointelegraph: "MediaMarkt stores across the country have been equipped with Bitcoin vending machines. In total, these are now present in twelve markets and enable the simple and secure …
Adoption / April 21, 2022
Bitcoin ATM installation slowdown continues for 4th month in 2022
April 2022 marked the fourth consecutive month of the slowdown in the installation of Bitcoin (BTC) ATMs, which began at the start of the year. Bitcoin ATMs serve a crucial purpose for the Bitcoin economy, helping users physically retrieve or deposit holdings against the corresponding cash reserves. Based on data provided by Coin ATM Radar, the year 2021 saw the highest global increase in Bitcoin ATM installations, with August witnessing a peak net change of 2,037 ATMs. In January 2022, the net change fell to 1,687 from December 2021’s high of 1,969 ATMs. Ever since, the net change in crypto …
Adoption / May 2, 2022
Bitcoin ATM operator RockItCoin acquires Tao Bitcoin
The Bitcoin ATM operator RockItCoin announced the acquisition of Tao Bitcoin on Oct. 25. Tao Bitcoin is a regional ATM operator with 56 machines, mostly located in the south of the United States. According to the company, the acquisition was part of they company's strategy to find value and synergies among smaller and regional players in the Bitcoin ATM space. With the deal, the machines operated by RockItCoin came to almost 1900 across 44 U.S. states. The Bitcoin ATM industry is poised for consolidation in 2023, according to RockItCoin's president Ben Phillips, with the company likely to acquire more players …
Adoption / Oct. 25, 2022
Bilaxy exchange suspends website after ERC-20 hot wallet hack
Bilaxy, a lesser-known cryptocurrency exchange, has confirmed a major hacking incident, reporting the losses of funds due to an exploit of the platform’s ERC-20 hot wallet. Bilaxy announced on its Telegram channel that the crypto exchange suffered a “serious hack” on Saturday between 6 pm and 7 pm UTC, resulting in the transfer of 295 different ERC-20 tokens. According to the exchange, the affected tokens were transferred by the hacker to a single address. At the time of writing, the tokens are valued at $170,600, with the most recent transaction sending out 50 Ether (ETH), or about $159,000, on Monday. …
Bitcoin / Aug. 30, 2021
Creditors of Mt. Gox Bitcoin exchange to vote on draft refund plan
The trustee of hacked, now-defunct cryptocurrency exchange Mt. Gox has posted another update on the long-running process of refunding the exchange clients. Nobuaki Kobayashi, a Tokyo attorney appointed to act as civil rehabilitation trustee to manage Mt. Gox’s bankruptcy estate funds, announced Thursday that the Tokyo District Court ordered that “There were no grounds for disapproving the draft rehabilitation plan.” As previously reported, the plan was filed on Dec. 15, 2020. According to the announcement, the court has approved a repayment process schedule that includes a vote by creditors on the proposed refund plan. As part of the process, the …
Bitcoin / Feb. 25, 2021