Hackers exploit Bitcoin ATMs to steal investors’ money from wallets

General Bytes, maker of cryptocurrency ATMs, have faced a setback after hackers exploited a zero-day vulnerability in their servers of Bitcoin ATMs. The attacker was able to create an admin user remotely via CAS administrative interface and managed to dupe investors' money from their wallet addresses. The hacker was able to identify a security vulnerability in the admin interface. Further, the company has deactivated 2-way BATMs on the GB Cloud as a security precaution.

According to General Bytes updates on August 18, the attacker created an admin user remotely via CAS administrative interface via a URL call on the page that is used for the default installation on the server and created the first administration user. 

Further, the hackers scanned Digital Ocean cloud hosting IP address space and identified running CAS services on ports 7777 or 443.

Notably, the company's General Bytes Cloud service and other GB ATM operators running their servers as Digital Ocean is a recommended cloud hosting provider.

It said, "This vulnerability has been present in CAS software since version 20201208."

With this security vulnerability, the hacker was able to create a new default admin user, organization, and terminal. They accessed the CAS interface and renamed the default admin user to 'gb'.

Further, the hacker modified the crypto settings of two-way machines with his wallet settings and the 'invalid payment address' setting. Following this, two-way ATMs started to forward coins to the attacker's wallet when customers sent coins to ATMs.

"We concluded multiple security audits since 2020, and none of them identified this vulnerability. Attack came 3rd day after we publicly announced Help Ukraine feature on ATMs," General Bytes said.

However, General Bytes also revealed that the attacker could not get access to host operation system, file system, database, and any passwords, password hashes, salts, private keys or API keys.

General Bytes has asked investors to not operate their GB ATM server unless they have implemented the following solution.

Step 1 - Stop admin and master service.

Step 2 - Upgrade your server to 20220725.22. For customers running on 20220531, the company also back-ported the fix to patch release 20220531.38.

Step 3 - Modify your server firewall settings. Ensure that your CAS admin interface running on TCP ports 7777 or 443 is only accessible from IP addresses you trust - like your office or your homes.

Step 4 - Start admin service.

Step 5 - Enter the CAS interface and deactivate all your terminals to prevent any sales on machines. Alternatively, you can deactivate only two-way machines.

Step 6 - Review all your CAS users. And their permissions and groups. Make sure only users that you trust have administration rights. If you were breached, you might find a user called 'gb' listed. If so, please delete any such user. Also, check all CAS user's email addresses on persons.

Step 7 - Reset all user passwords. (except your own)

Step 8 - Review your Crypto Settings. Make sure you run the Crypto Settings tests to verify that your crypto addresses and strategies are correct. The attacker might have changed your SELL Crypto Settings to receive coins from customers into his wallet.

Step 9 - Review that the attacker added no terminals. If you were breached, you might find BT123456.

Step 10 - Activate the terminals.

Step 11 - General Bytes said, in case you were breached, review admin.log, where you might find more details on the attacker's activity. Search for activity around the message "Server activated."