Hackers stole cryptocurrency from Bitcoin ATMs
Bitcoin ATM maker General Bytes has confirmed that it was the victim of a cyber attack that exploited a previously unknown flaw in its software to loot cryptocurrency from its users.
"The attacker managed to create a remote administrative user via the CAS administrative interface by calling a URL on the page used for the default installation on the server and creating the first administrative user," the company said in an advisory last week. "This vulnerability has been present in CAS software since release 2020-12-08."
It is not immediately clear how many servers were hacked with this flaw and how much cryptocurrency was stolen.
CAS, short for Crypto Application Server, is a self-hosted product from General Bytes that enables companies to manage Bitcoin ATM (BATM) devices from a central location via a web browser on a desktop or mobile device.
The zero-day flaw, related to a bug in the CAS management interface, has been mitigated in two server patch releases, 20220531.38 and 20220725.22.
General Bytes said the unnamed threat actor limited the running of CAS services on ports 7777 or 443 by scanning the IP address space of DigitalOcean's cloud hosting, followed by abuse of the flaw to add a new default administrator user named "gb" to the CAS.
“The attacker modified the encryption settings of the two-way machines with his wallet settings and the 'incorrect payment address' setting,” the company said. “The two-way ATMs started sending coins to the attacker’s wallet when customers sent coins to the ATM.”
In other words, the goal of the attack was to modify the settings so that all funds are transferred to a digital wallet address under the control of the opponent.