Fraudsters Learned to Steal Money from General Bytes Cryptocurrency ATMs

A 0-day vulnerability was found in General Bytes cryptocurrency ATMs, and the attackers immediately exploited it to steal money. When users deposited or bought cryptocurrencies through an ATM, the hackers received their money.

The Czech company General Bytes owns and operates 8827 cryptocurrency ATMs, which are available in more than 120 countries around the world. These devices allow buying and selling more than 40 different cryptocurrencies, and are controlled by a remote CAS server (Crypto Application Server), which manages the operation of the ATM, conducts transactions with supported cryptocurrencies, and also performs buying and selling on exchanges.

Let me remind you that we also wrote that The Developers of the Nomad Cryptocurrency Bridge Ask the Hackers to Return the Money and… They Return.

According to a General Bytes security bulletin published on August 18, 2022, attacks on ATMs were carried out using a 0-day vulnerability in the company’s CAS server.

General Bytes experts believe that the attackers scanned the Internet looking for servers with the open TCP ports 7777 or 443, including servers hosted by Digital Ocean and General Bytes’ own cloud service.

The hackers then exploited the vulnerability to add a default admin user named “gb” to the system and change the settings for buying and selling cryptocurrencies, as well as the invalid payment address setting, by injecting their own wallet address into the system. As a result, any cryptocurrency received by CAS fell into the hands of hackers.

Now, General Bytes representatives are warning customers not to use cryptocurrency ATMs until patches 20220531.38 and 20220725.22 are installed on them. The company also published a detailed list of actions that must be performed on the devices before they are put into operation again. Among other things, it is recommended to change firewall settings so that only authorized IP addresses can access the CAS admin interface.

At the same time, it is not clear from the company’s message how many servers were compromised, and how much cryptocurrency was stolen from users.