General Bytes Bitcoin ATMs compromised by threat actors

• Bitcoin ATM manufacturer General Bytes has asked all ATM operators to update their software after its server was compromised through a zero-day attack.

• This attack comes almost a year after Kraken Security Labs disclosed the vulnerability of most Bitcoin ATMs as their default admin QR code has never been changed.

Bitcoin ATM manufacturer General Bytes has asked all ATM operators to update their software after its server was compromised through a zero-day attack. According to the company’s security advisory team, the threat actors hacked into its Crypto Application Server (CAS) and stole funds. 

The hackers scanned for exposed servers running on TCP ports 7777 or 443, including servers hosted on General Bytes’ cloud service.

It is important to note that the CAS controls its entire operation including the buying and selling of cryptos. After gaining control, the hackers modified the settings to add themselves as default administrators on the CAS, named gb. From there, the hackers compromised the buy and sell settings, to ensure that all assets sent to the ATMs are redirected to the wallet addresses controlled by them. They also reportedly made away with some funds.

The attacker was able to create an admin user remotely via CAS administrative interface via a URL call on the page that is used for the default installation on the server and creating the first administration user.

Regardless of the information given, the company has not disclosed the amount stolen and the ATMs affected. 

Kraken Security Labs pointed out vulnerabilities in General Bytes

It is important to note that General Bytes own and operate over 8827 Bitcoin ATMs across 120 countries. Customers can as well access over 40 crypto assets on its various ATMs. As part of its effort to mitigate the impact, the company has advised customers to not use its ATM servers till they are updated to “patch releases 20220725.22, and 20220531.38 for customers running on 20220531.”

Customers are also reminded to review their “Sell Crypto Settings” before reactivating the terminals. This is to cross-check whether hackers modified their settings to redirect all received funds into their wallet addresses. To ensure that the CAS admin interface is only accessed from authorized IP addresses, customers have also been asked to modify their server firewall settings. In response to criticisms that the company did not invest enough in security audits to prevent this attack, it has stated that several audits have been conducted since 2020. 

This attack comes almost a year after Kraken Security Labs disclosed the vulnerability of most Bitcoin ATMs as their default admin QR code has never been changed. In the report, the security firm observed that General Bytes’ BATMTwo ATM range had several hardware and software vulnerabilities. According to Kraken, it is easier for hackers to compromise any ATM if they get access to the administrative code. In response, General Bytes reportedly informed ATM operators of the vulnerabilities.

Kraken Security Labs reported the vulnerabilities to General Bytes on April 20, 2021, they released patches to their backend system (CAS) and alerted their customers, but full fixes for some of the issues may still require hardware revisions.