Zero Day Exploit Hits General Bytes Bitcoin ATM Servers

By kev_nag | kev_nag | 22 Aug 2022

“On August 18th, the world’s largest Bitcoin ATM manufacturer, General Bytes discovered a security flaw. Hackers used a zero-day vulnerability to create an admin user account through the CAS admin panel. This resulted in Bitcoins being siphoned off by the hackers. The attacks used a zero-day vulnerability in the company’s Crypto Application Server (CAS). The CAS manages how the ATM operates, which cryptos are supported, and how cryptocurrency purchases and sales are carried out on exchanges” [Tahrlyani, R. Bitcoin ATM General Bytes Hacked Due to Zero Day Bug. (Accessed August 22, 2022)].

“When customers would deposit or purchase cryptocurrency via the ATM, the funds would instead be siphoned off by the hackers [...] It is unclear how many servers were breached using this vulnerability and how much cryptocurrency was stolen.” [Abrams, L. Hackers steal crypto from Bitcoin ATMs by exploiting zero-day bug. (Accessed August 22, 2022)].

According to the Security Advisory published by General Bytes on August 18, 2022, the hackers accomplished this exploit by:

  1. The attacker identified a security vulnerability in the CAS admin interface.

  2. Attacker scanned Digital Ocean cloud hosting IP address space and identified running CAS services on ports 7777 or 443. Including General Bytes Cloud service and other GB ATM operators running their servers as Digital Ocean is a recommended cloud hosting provider.

  3. Using this security vulnerability, the attacker created a new default admin user, organization, and terminal.

  4. The attacker accessed the CAS interface and renamed the default admin user to ‘gb’

  5. The attacker modified the crypto settings of two-way machines with his wallet settings and the ‘invalid payment address’ setting.

  6. Two-way ATMs started to forward coins to the attacker’s wallet when customers sent coins to ATM.

[Kyovsky, K. Security Incident August 18th 2022. (Accessed August 22, 2022)].

In this exploit, General Bytes has stated that:

  1. The attacker didn’t gain access to the host operation system.

  2. The attacker didn’t gain access to the host file system.

  3. The attacker didn’t gain access to the database.

  4. The attacker didn’t gain access to any passwords, password hashes, salts, private keys or API keys.

[Id].

"The vulnerability has been present since the hacker’s modifications updated the CAS software to version 20201208 on Aug. 18. General Bytes has urged customers to refrain from using their General Bytes ATM servers until they update their server to patch releases 20220725.22, and 20220531.38 for customers running on 20220531. Customers have also been advised to modify their server firewall settings so that the CAS admin interface can only be accessed from authorized IP addresses, among other things. Before reactivating the terminals, General Bytes also reminded customers to review their “SELL Crypto Setting” to ensure that the hackers didn’t modify the settings such that any received funds would instead be transferred to them (and not the customers).

[Lindrea, B. Hackers exploit zero day bug to steal from General Bytes Bitcoin ATMs. (Accessed August 22, 2022)].

Prior to discovering this exploit, your author admits he had no idea as to what exactly a ‘zero day vulnerability’ was. So for anyone in the same boat, read on.

The words vulnerability, exploit, and attack are typically used alongside zero-day, and it’s helpful to understand the difference:

  • A zero-day vulnerability is a software vulnerability discovered by attackers before the vendor has become aware of it. Because the vendors are unaware, no patch exists for zero-day vulnerabilities, making attacks likely to succeed.
  • A zero-day exploitis the method hackers use to attack systems with a previously unidentified vulnerability.
  • A zero-day attack is the use of a zero-day exploit to cause damage to or steal data from a system affected by a vulnerability.

[Kaspersky Lab. What is a Zero-day Attack? - Definition and Explanation. (Accessed August 22, 2022)].

In essence, “[t]he term ‘zero-day’ refers to the fact that the vendor or developer has only just learned of the flaw – which means they have “zero days” to fix it” [Id].

General Bytes “owns and operates 8827 Bitcoin ATMs that are accessible in over 120 countries. The company is headquartered in Prague, Czech Republic, which is also where the ATMs are manufactured. ATM customers can buy or sell over 40 coins” [Lindrea, supra].

Resources

  1. https://coinatmradar.com/img/machines/info5.png
Bitcoin (BTC) Ethereum (ETH) hacks General Bytes BTC ATM Zero Day Attack

How do you rate this article?

20
kev_nag
kev_nag

Just an ordinary casual crypto investor.

kev_nag
kev_nag

Retired, finally. I enjoy learning about crypto and sharing my discoveries. Also, I follow the News closely and enjoy discussing current events. I have no political agenda, but advance views based in reality with a slant toward real world consequences.

Send a $0.01 microtip in crypto to the author, and earn yourself as you read!

20% to author / 80% to me.
We pay the tips from our rewards pool.
XT.COM Empowers Global Traders with Streamlined Crypto Trading Portal to Deliver a Seamless and Trusted Digital Asset Experience XT.COM Empowers Global Traders with Streamlined Crypto Trading Portal to Deliver a Seamless and Trusted Digital Asset Experience
Publish0x PRs

Publish0x PRs

6 hours ago
2 minute read

Post #22: 3 Rules I Use Now Before I Buy Any Crypto Ever Again Post #22: 3 Rules I Use Now Before I Buy Any Crypto Ever Again
XanonymousX

XanonymousX

6 hours ago
2 minute read

1 + 1 = 11 - "Bitcoin Hashrate Drops 29%, Coinciding With US Attack On Iran's Nuclear Facilities" 1 + 1 = 11 - "Bitcoin Hashrate Drops 29%, Coinciding With US Attack On Iran's Nuclear Facilities"
B18

B18

2 hours ago
3 minute read