A group of threat actors have exploited a zero-day vulnerability in the General Bytes Bitcoin ATM servers to snatch cryptocurrency funds. The campaign enabled the adversaries to receive cryptocurrency to their accounts when a user completes a deposit through an infected ATM.
The attack came to light after a General Bytes user recently notified a news media agency that a group of hackers were stealing bitcoin from their ATMs. Moreover, an investigation revealed that hackers exploited a zero-day bug in the Crypto Application Server.
The abused zero-day flaw in the Crypto Application Server was version 20201208. The hackers scoured the internet for compromised servers on TCP ports 443 and 7777, also hosted at General Byte and Digital Ocean’s cloud services.
The attack against the Bitcoin ATM servers initiates after a default admin user is added to the CAS.
The threat actors can abuse the flaw in the Bitcoin ATM servers by adding a default admin user called ‘gb’ to the Crypto Application Server. They have developed an admin user remotely through the CAS admin interface through a URL call on the webpage used for the automatic installation on the server.
Subsequently, the hackers can alter the “buy or sell” setting and invalid payment address to use their crypto wallets. Once the settings are modified, any crypto fund deposited through CAS will be transferred by the attackers to its’ funds.
General Bytes is the Bitcoin ATM producer that enables purchasing or selling of more than 40 cryptocurrency providers. Attackers might have focused on searching for loopholes in the ATMS since a remote Crypto Application Server managed it. Furthermore, 18 General Bytes CAS are still exposed to the internet, making them vulnerable to the current zero-day exploit.
Unfortunately, it is still unknown how many servers were impacted using the vulnerability and how threat actors stole many crypto funds during the past months.
