August 23, 2022

Hackers have exploited a zero-day vulnerability in General Byte Bitcoin ATM to steal cryptocurrencies from users. The zero-day flaw exploited by the attacker was found in company’s Crypto Application Server (CAS).

According to General Byte, the attackers scanned the internet for exposed servers running on TCP ports 7777 or 443, including servers hosted by Digital Ocean and General Byte’s cloud service.

They were then able to exploit the bug by adding a default admin user named ‘gb’ to the CAS. They modified the crypto settings “buy” and “sell” and the “invalid payment address” to use a cryptocurrency wallet under the hacker’s control.

After changing the settings above, any cryptocurrency received by CAS was instead forwarded to the hackers.

General Byte has advised customers not to operate their Bitcoin ATMs until they have two server patch releases, 20220531.38 and 20220725.22, installed on their servers.

In addition, it is important to configure firewalls only to allow access to the Crypto Application Server from a tested IP address, such as addresses indicating the location of the ATM or the customer office.

Investigations from BinaryEdge shows that there are still 18 General Bytes Crypto Application Servers still vulnerable on the internet with most coming from Canada.

The sources for this piece include an article in BleepingComputer.