Bitcoin ATM manufacturer General Bytes has confirmed that its servers were compromised by a zero-day attack over the weekend.
As a result of the hack, all funds going into General Bytes ATMs was been syphoned off to the hackers.
Based in Prague, Czech Republic, General Bytes owns and operates 8,827 Bitcoin ATMs, which are accessible across more than 120 countries. Customers can use General Bytes ATMs to buy or sell over 60 supported currencies.
General Bytes has issued a statement confirming that the hack took place on August 18th, but has not yet revealed the amount of funds and number of ATMs compromised. The hack occured due to hackers exploiting a vulnerability in the ATM software.
In the statement, General Bytes reported that the hackers made themselves admins through a zero-day attack. With this access, the hackers were able to modify settings so that all funds that went through the system would be transferred to the hackers’ wallet addresses instead.
A zero-day vulnerability in a system, software, or device is a type of vulnerability that has been identified, but has not yet been patched. As zero-day vulnerabilities are discovered, but not yet fixed, they are prone to hackers racing to exploit these vulnerabilities as they have been reported.
The hacker’s modifications updated the Crypto Application Server (CAS) software to version 20201208 on Aug. 18, resulting in the detection of the vulnerability. General Bytes said that several security audits had been conducted since 2020, but the vulnerability in question was not identified until now.
General Bytes has urged customers to refrain from using General Bytes ATM servers until they update their servers to patch releases 20220725.22, and 20220531.38 for customers running on 20220531.
Customers have been advised to adjust their server firewall settings so the admin interface is only available for access through authorised IP addresses and entities. In addition, customers should review their “SELL Crypto Setting” to ensure that their settings for any received or sent funds would instead be transferred to the hackers, urges General Bytes.
General Bytes Bitcoin hack: How the vulnerability worked
Hackers gained access to the company’s Crypto Application Server (CAS) through a zero-day vulnerability attack. Through the attack, the hackers were soon able to modify the CAS software to access and extract funds that were in the system.
General Bytes’ CAS manages the entire operational logistics of the Bitcoin ATM system – including features which allow for the buying and selling of crypto on supported exchanges and coins.
General Bytes’ security advisory team suspects that the hackers “scanned for exposed servers running on TCP ports 7777 or 443, including servers hosted on General Bytes’ own cloud service” in order to exploit the vulnerability.
The modifications made by the hackers include adding themselves as default admin to the CAS system, then setting features so that any crypto received by the Bitcoin ATM will instead be transferred to wallet addresses belonging to the hackers.