General Bytes ATM operators have since confirmed that $16,000 in digital assets was swiped in the hack.
Zero-Day Vulnerability in Bitcoin ATMs
An announcement by General Bytes last Thursday, Aug. 18, explained that as of yet unknown threat actors exploited a major security hole in the Crypto Application Server (CAS) system that remotely runs their Bitcoin and crypto ATMs. The company operates over 8,000 of these machines across 120 countries that allow users to buy or sell various cryptocurrencies. The company’s security advisory revealed that hackers took a layered approach to the attack. First, they discovered the CAS zero-day vulnerability — a software flaw that is immediately exploited by threat actors before developers have a chance to fix it. Next, the hackers scanned for exposed servers via the internet and on General Bytes cloud service (GB Cloud). This scheme ultimately allowed the hackers to divert cryptocurrency arriving at Bitcoin ATMs (BATMs) to their crypto-wallets. Had the CAS servers been firewalled to only permit trusted IP (Internet Protocol) addresses through ports 7777 and 443, the attack would have been foiled, according to the General Bytes security advisory.
CAS Vulnerability Exploited by Hackers
The crypto swindlers were able to dupe the CAS administrative interface remotely via a URL call workaround on the page which allowed them to log in as the first admin user, the advisory said. “This vulnerability has been present in CAS software since version 20201208.” Hackers combed the Digital Ocean cloud hosting IP address space and discovered CAS services running on vulnerable ports 7777 or 443. They then created a new default admin user, organization, and terminal spaces, renaming the default admin user name to “gb.” “The attacker modified the crypto settings of a number of two-way machines and inserted his own wallet address into the ‘Invalid Payment Address’ setting.” As a result, two-way General Bytes BATMs began forwarding cryptocurrency assets to the attackers’ crypto-wallets when customers sent invalid payments to the machines. Notably, a “Help Ukraine” feature implemented just days before the incident on the crypto ATMs may have spurred the attacks, the advisory noted.
Customer Security Recommendations
Ultimately, hackers could not hijack host operations or file systems, as well as any databases, passwords, or private keys. All affected BATM operators were immediately notified within hours of the breach, while the Czech police were alerted on the afternoon of Aug. 22. According to the advisory, “2-way BATMs hosted on the GB Cloud have been deactivated as a security precaution” and should not be operated without implementing CAS server patch releases 20220531.38 and 20220725.22. Furthermore, the advisory also includes a long list of other security steps to take including stopping the admin and master service, modifying firewall settings, reviewing all CAS users, resetting user passwords, and more. Customers should particularly check whether their “SELL Crypto Setting” has not been modified in any way. Meanwhile, BATM operators are encouraged to fill in an assessment form to help the ongoing investigation. Cryptocurrency-related incidents, like cryptojacking, are almost a daily occurrence nowadays. The FBI reported last month that $42.7 million in cryptocurrency assets was stolen by fake applications alone. For these reasons, it is vital that you familiarize yourself with the latest Bitcoin and cryptocurrency scams and equip yourself with a powerful VPN for your online cryptocurrency transactions. Finally, remember to prefer hardware cold wallets for storing your digital assets.
