Hackers Exploited Software Vulnerability To Steal Cryptocurrencies From Bitcoin ATMs

In the past, some people managed to hack into ATM machines to steal money. One of the ways, was by using what's called the 'Cutlet Maker', which is a malware that targets ATM machines.

Fast forward, in the world where the internet has become common, and cryptocurrencies have become a payment method accepted by many merchants and vendors, hackers are also trying to steal cryptocurrencies from their owners.

And this time, hackers are found targeting ATM machines.

Particularly, those machines that were made by General Bytes.

The company is the manufacturer of Bitcoin ATM (BATM) machines that, depending on the product, allow people to purchase or sell over 40 different cryptocurrencies.

It's reported that a zero-day vulnerability has been exploited by hackers, which according to the company, threat actors have hacked into its Crypto Application Server (CAS) and stole funds.

BATMFour ATM machine by General Bytes
BATMFour ATM machine by General Bytes has a vertical touchscreen that is larger than previous generations of its BATMs. (Credit: General Bytes)

By exploiting the bug, the hackers were able to make themselves the default administrators of the systems, in order to modify settings so that all funds would be transferred to their wallet address.

According to the company in an advisory:

"The attacker was able to create an admin user remotely via CAS administrative interface via a URL call on the page that is used for the default installation on the server and creating the first administration user. This vulnerability has been present in CAS software since version 20201208."

CAS, short for Crypto Application Server, is a self-hosted product from General Bytes that enables companies to manage BATM machines from a central location via a web browser on a desktop or a mobile device.

And the bug that was exploited, resided in the CAS administrator interface.

The hackers managed to run the CAS services on ports 7777 or 443 by scanning the DigitalOcean cloud hosting IP address space. The hackers then exploited the flaw by adding a new default administrator user, which the hackers own, named "gb" to the CAS.

The hackers then modified the 'buy' and 'sell' cryptocurrency settings and set the 'invalid payment address' to use a cryptocurrency wallet under the hacker's control.

"The attacker modified the crypto settings of two-way machines with his wallet settings and the 'invalid payment address' setting," it said. "Two-way ATMs started to forward coins to the attacker's wallet when customers sent coins to [the] ATM."

[block:block=87]

General Bytes' product page about the CAS interface
Screenshot of General Bytes' product page about the CAS software. (Credit: General Bytes)

By exploiting the bug, when customers would deposit or purchase cryptocurrency via the ATM, the funds would instead be siphoned off by the hackers.

The company said that it had conducted "multiple security audits" since 2020, and found no issues.

This is why the bug was a zero-day flaw.

The bug has been mitigated in two server patch releases, 20220531.38 and 20220725.22.

It's worth noting that the attack occurred three days after it publicly announced a "Help Ukraine" feature on its ATMs.

General Bytes didn't way anything about the number of servers that were breached, or how much cryptocurrency was stolen.

According to Bleeping Computer. a website covering technology news. the attack would not have been possible in the first place, had the servers been firewalled to only allow trusted IP addresses to establish a connection.