News

Fraudsters Learned to Steal Money from General Bytes Cryptocurrency ATMs

A 0-day vulnerability was found in General Bytes cryptocurrency ATMs, and the attackers immediately exploited it to steal money. When users deposited or bought cryptocurrencies through an ATM, the hackers received their money.

The Czech company General Bytes owns and operates 8827 cryptocurrency ATMs, which are available in more than 120 countries around the world. These devices allow buying and selling more than 40 different cryptocurrencies, and are controlled by a remote CAS server (Crypto Application Server), which manages the operation of the ATM, conducts transactions with supported cryptocurrencies, and also performs buying and selling on exchanges.

Let me remind you that we also wrote that The Developers of the Nomad Cryptocurrency Bridge Ask the Hackers to Return the Money and… They Return.

According to a General Bytes security bulletin published on August 18, 2022, attacks on ATMs were carried out using a 0-day vulnerability in the company’s CAS server.

An attacker could remotely create an admin user through the CAS administrative interface (by calling a URL on the page used to install the default and create the first admin user). This vulnerability has been present in CAS since version 20201208.the report says.

General Bytes experts believe that the attackers scanned the Internet looking for servers with the open TCP ports 7777 or 443, including servers hosted by Digital Ocean and General Bytes’ own cloud service.

The hackers then exploited the vulnerability to add a default admin user named “gb” to the system and change the settings for buying and selling cryptocurrencies, as well as the invalid payment address setting, by injecting their own wallet address into the system. As a result, any cryptocurrency received by CAS fell into the hands of hackers.

Now, General Bytes representatives are warning customers not to use cryptocurrency ATMs until patches 20220531.38 and 20220725.22 are installed on them. The company also published a detailed list of actions that must be performed on the devices before they are put into operation again. Among other things, it is recommended to change firewall settings so that only authorized IP addresses can access the CAS admin interface.

At the same time, it is not clear from the company’s message how many servers were compromised, and how much cryptocurrency was stolen from users.

According to BinaryEdge, there are currently 18 General Bytes CAS servers on the network, most of which are located in Canada.
Sending
User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

Daniel Zimmermann

Daniel Zimmermann has been writing on security and malware subjects for many years and has been working in the security industry for over 10 years. Daniel was educated at the Saarland University in Saarbrücken, Germany and currently lives in New York.

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

Sending

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Back to top button