The amount of funds stolen and the number of ATMs affected have not been disclosed, however, the company has urged ATM operators to update their software immediately.
General Bytes, which owns and manages 8827 Bitcoin ATMs in over 120 countries, acknowledged the hack on August 18. The company's headquarters are in Prague, Czech Republic, where the ATMs are also manufactured. The ATMs allow users to buy and sell more than 40 coins.
The vulnerability has existed since August 18, when the hacker's modifications updated the CAS software to version 20201208.
General Bytes has advised customers not to use their General Bytes ATM servers until they have updated their servers to patch releases 20220725.22 and 20220531.38 for customers operating on 20220531.
Customers have also been encouraged to alter their server firewall settings so that the CAS admin interface may only be accessed from approved IP addresses, among other considerations.
General Bytes also encouraged customers to examine their SELL Crypto Setting before reactivating the terminals to ensure that the hackers did not change the settings so that any received funds would instead be retransferred to them (and not the customers).
General Bytes stated that multiple security assessments had been performed since its beginning in 2020, none of which had found this vulnerability.
How the attack happened
According to General Bytes' security advisory team, the hackers used a zero-day vulnerability exploit to obtain access to the company's Crypto Application Server (CAS) and steal the funds.
The CAS server oversees the whole functioning of the ATM, including the execution of crypto buying and selling on exchanges and which currencies are supported.
The company believes the hackers scanned for vulnerable servers operating on TCP ports 7777 or 443, including servers housed on General Bytes' own cloud service.
The hackers then added themselves as a default admin on the CAS, calling themselves gb, and then modified the "buy" and "sell" settings such that any crypto received by the Bitcoin ATM would instead be transferred to the hacker's wallet address.
Read also: Top cryptocurrency news: Moscow Exchange Plans to List Digital Financial Assets by Year's End
