Hackers exploited the zero-day flaw to steal crypto from Bitcoin ATMs

Zero-day flaw exploitation helped attackers to steal customer cryptocurrency funds from Bitcoin ATM

Cybercriminals use zero-day flawsHackers exploit zero-day bugs to cash in

Hackers exploited flaws in general Bytes Bitcoin ATM servers to steal cryptocurrency from customers. People would deposit or purchase cryptocurrency via the ATM, and these funds would instead get stolen by hackers.[1] General Bytes is the manufacturer of Bitcoin AMTs that depend on the product. It allows people to purchase or sell over 40 different cryptocurrencies.[2] Such Bitcoin ATMs are controlled by the remote Crypto Application Server that manages the operations on ATMs, supported cryptocurrencies, and purchasing and sales of the funds on the exchanges.

The ATM manufacturer General Bytes confirmed that the company was a victim of the cyberattack and determined that the previously unknown flaw got exploited in the software to achieve the goal of this malicious attack.[3] The attacker managed to create the admin user remotely via CAS administrative interface via the URL call on the page that is used for the default installation on the server and creating the initial administrative user.

The advisory was provided by the company that listed these issues and explained the attack scenario.[4] the report states that the particular exploited vulnerability was present in CAS software since the 2020-12-08 version release and others after that. There are no details on the number of servers that got breached using this big exploit or how much crypto got stolen from victims.

Using the undiscovered zero-day flaw

It is believed that threat actors scanned the internet for the exposed servers running on the TCP ports 7777 or 443. These servers were also hosted at Digital Ocean and General Bytes cloud service. Threat actors exploited found vulnerabilities to add the default administrator user with the name gb to the CAS and modified the buy and sell crypto settings and invalid payment address to use the wallet under the control of the cybercriminals.

These settings got modified, and the malicious actor can forward any funds received by the CAS to their wallets. The zero-day bug has been mitigated in two server patch releases now – 20220531.38 and 20220725.22. The company also provided a list of particular steps for the devices before using them in the service.

It is worth noting that the attack might not be possible if the server is firewalled only to allow connections from trusted IP addresses. It shows how important it can be to configure firewalls. This particular set of firewalls[5] allows access to the Crypto Application Server from the trusted IP address, such as from the ATM location or the customs office.

A common issue with silent zero-day exploits

Zero-day bugs are vulnerabilities in different systems. Threat attackers often use them for exploits because it is a tool to expose systems until the patch is issued by the vendors. Cybercriminals race to use these flaws to cash in on their schemes. These bugs can be found in systems and devices and remain disclosed for a long time.

Zero-day is a flaw in software, hardware or firmware that is unknown to the party or parties responsible for patching or otherwise fixing the flaw. The term zero day may refer to the vulnerability itself, or an attack that has zero days between the time the vulnerability is discovered and the first attack.

Right now, there are eighteen General Bytes Crypto Application Servers exposed to the internet still, and the majority of them are located in Canada. However, there are no numbers on how many servers were breached using the flaw exploitation. Further questions were asked from various news outlets, but General Bytes did not respond at this time.

About the author
Ugnius Kiguolis
Ugnius Kiguolis - The mastermind

Ugnius Kiguolis is a professional malware analyst who is also the founder and the owner of 2-Spyware. At the moment, he takes over as Editor-in-chief.

Contact Ugnius Kiguolis
About the company Esolutions

References
Files
Software
Compare