Threat actor General Bytes is stealing funds from bitcoin ATMs
Threat actors have exploited a zero-day vulnerability in the General Bytes bitcoin ATM server to steal BTC from multiple customers.
Threat actors have taken advantage of a zero-day flaw in the General Bytes bitcoin ATM server that allows them to hijack transactions involving deposits and withdrawals.
GENERAL BYTES is the world’s largest Bitcoin, Blockchain and Cryptocurrency ATM manufacturer.
The ATM machines manufactured by the company are controlled remotely by the Crypto Application Server (CAS), which manages the operation of the devices.
The company published a security advisory on August 18th acknowledging the existence of a zero-day flaw actively exploited by threat actors in the wild. Attackers exploited the problem to create an administrator user account through the CAS admin panel
“The attacker was able to create an admin user remotely through the CAS administrative interface via a URL call to the page used for the default installation on the server and create the first administration user. This vulnerability was introduced into the CAS software version.” Exists since 20201208. Read more details in the ‘What happened’ section. The advisory reads.
Active exploitation of the issue was also confirmed by BleepingComputer, which was contacted by a General Bytes customer who told them the attackers were stealing bitcoins from their ATMs.
As per the advisory, the issue is in the CAS admin interface. Threat actors scanned the Digital Ocean Cloud Hosting IP address space exposing ports 7777 or 443 for CAS services. The attackers then exploited the vulnerability to create a new default admin user, organization, and terminal. Threat actors used the CAS interface and changed the default admin user name to ‘gb’, then modified their wallet settings and the two-way machines’ crypto settings with the ‘Invalid Payment Address’ setting.
These settings allowed attackers to forward coins to the attacker’s wallet when customers sent coins to the ATM.
According to the advisory, the attacks came three days after the company publicly announced help to Ukraine’s facilities at ATMs.
Ordinary Bytes recommends customers to install the two server patch releases
The company also shared instructions on configuring server firewalls to control access to crypto application servers.
Follow me on Twitter: other Facebook
pierluigi paganini
,security case , Hacking, General Bytes Bitcoin ATM)
share on
