General Bytes, the Bitcoin ATM manufacturer, confirmed that it was the victim of a cyberattack that exploited a previously unknown flaw in its software to steal cryptocurrency from its users.
The company issued an advisory last week. It stated: “The attacker was able to create an admin user remotely via CAS administrative interface via a URL call on the page that is used for the default installation on the server and creating the first administration user. This vulnerability has been present in CAS software since version 2020-12-08.”
It is not yet clear how many servers were breached using this flaw and how much cryptocurrency was plundered.
CAS is short for Crypto Application Server, which is a self-hosted product from General Bytes that enables companies to manage Bitcoin ATM (BATM) machines from a central location via a browser on a desktop or a mobile device.
The zero-day flaw, which concerned a bug in the CAS admin interface, has been patched in two new releases, 20220531.38 and 20220725.22.
General Bytes said the unnamed threat actor identified running CAS services on ports 443 and 7777 by scanning the DigitalOcean cloud hosting IP address space, followed by abusing the flaw to add a new default admin user named “gb” to the CAS.
“The attacker modified the crypto settings of two-way machines with his wallet settings and the ‘invalid payment address’ setting,” it said. “Two-way ATMs started to forward coins to the attacker’s wallet when customers sent coins to [the] ATM.”