General Bytes, a Bitcoin ATM manufacturer, had hackers having a field day after its servers were compromised via a zero-day attack on August 18. The hackers reportedly made themselves the default admin and modified settings. They did so to enable funds to be transferred to their wallet addresses.
The company hasn’t yet disclosed the number of funds stolen and the number of ATMs compromised. However, it did advise ATM operators to update their software. General Bytes, which owns and operates 8,827 Bitcoin ATMs accessible in over 120 countries, confirmed the incident on August 18. Customers can also buy or sell over 40 coins through ATMs. The company urged customers to refrain from using the General Bytes ATM servers until they update the server to patch releases 20220725.22 and 20220531.38 for customers running on 20220531. It also told customers to modify the server firewall settings for the CAS admin interface to be only accessed from authorized IP addresses.
General Bytes urged customers to review their SELL Crypto Settings. This is to ensure that hackers didn’t modify the settings such that any received funds would be transferred to them and not to the customers. Furthermore, the company has undertaken several security audits since its inception in 2020. However, no vulnerability has been identified.
In regards to how the hack happened, the company’s security advisory team says the hackers conducted a zero-day vulnerability attack to gain access to General Bytes’ Crypto Application Server (CAS), which manages the ATM’s entire operation and extract funds. Its believed the hackers scanned for exposed servers running on TCP ports 7777 or 443, including servers hosted on General Bytes’ cloud service. They then added themselves as default admin on the CAS named gb. and proceeded to modify the buy and sell settings. The hacker created an admin user remotely through the CAS administration interface via a URL call on the page that is used for default installation on the server, creating the first administration user.