Hackers exploited zero-day vulnerability to steal crypto from Bitcoin ATMs
Bitcoin ATM manufacturer General Bytes is the latest victim of a cyberattack. Hackers exploited a zero-day vulnerability in the ATM software to steal cryptocurrency from its users.
Bitcoin ATMs are controlled by a remote Crypto Application Server (CAS). CAS manages the ATM’s operation. Bitcoin ATMs let people purchase or sell over 40 different cryptocurrencies on exchanges. Hackers manage to exploit a zero-day vulnerability in CAS to steal cryptocurrencies when customers deposit or purchase cryptocurrency via the ATM.
“The attacker was able to create an admin user remotely via CAS administrative interface via a URL call on the page that is used for the default installation on the server and creating the first administration user,” the company said in an advisory last week. “This vulnerability has been present in CAS software since version 2020-12-08.”
The company believes that hackers identified CAS services on ports 7777 or 443 by scanning the DigitalOcean cloud hosting IP address space and then added a new default admin user named “gb” to the CAS by abusing the flaw.
General Bytes confirmed that the vulnerability is present in CAS software since version 20201208. So, the company is now warning customers not to use Bitcoin ATMs until they release server patches on their servers.
Surprisingly the company claims to have conducted multiple security audits since 2020 but could never identify the issue. But this attack could have been avoided if the company just allowed access to the Crypto Application Server from a trusted IP address such as from the ATM’s location or the customer’s offices.