Hackers have exploited a vulnerability in General Bytes remote Crypto Application Server (CAS) which manages the company’s Bitcoin ATM operations, to steal cryptocurrencies from customers. The CAS determines which cryptocurrencies are supported, and authorizes the purchase and sale of cryptocurrency on exchanges using their ATMs.
First reported by Bleeping Computer, a source contacted the blog to report that hackers were “stealing bitcoin from their ATMs.”
A General Bytes security advisory dated August 18th confirms the attacks were conducted against the company’s CAS.
“The attacker was able to create an admin user remotely via CAS administrative interface via a URL call on the page that is used for the default installation on the server and creating the first administration user” reads the General Bytes advisory.
“This vulnerability has been present in CAS software since version 20201208.”
The hackers likely scanned for exposed servers using TCP ports 7777 or 443.
Once the hackers exploited the bug to re-route cryptocurrency payments, any cryptocurrency received by CAS was forwarded to the hackers instead.
General Bytes is warning customers not to operate their Bitcoin ATMs until further notice.
Bleeping Computer concluded that simply restricting access from the CAS to a trusted IP address would’ve prevented the exploit. Unbelievably, the ATMs are not configured as such.
General Bytes did not comment on how much or which cryptocurrency was stolen, or how many of its ATMs were affected. Presumably, all ATMs were affected.
