General Bytes Bitcoin ATMs Hit by Zero-Day Cyberattack
General Bytes recently revealed a cyberattack that exploited a zero-day vulnerability in its Crypto Application Server (CAS) software. By remotely creating a new admin user, the attacker accessed Bitcoin ATMs and stole cryptocurrency. Although the flaw has been patched, the incident underscores the need for heightened vigilance in cryptocurrency infrastructure security.
2024-01-18
'%3e%3cpath%20d='M4%204L15.733%2020H20L8.267%204H4Z'%20stroke='%230671C0'%20stroke-width='2'%20stroke-linecap='round'%20stroke-linejoin='round'/%3e%3cpath%20d='M4%2020L10.768%2013.232M13.228%2010.772L20%204'%20stroke='%230671C0'%20stroke-width='2'%20stroke-linecap='round'%20stroke-linejoin='round'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_8149_16006'%3e%3crect%20width='24'%20height='24'%20fill='white'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
'%3e%3cpath%20d='M5.37214%2023.8745H0.396429V8.10162H5.37214V23.8745ZM2.88161%205.95006C1.29054%205.95006%200%204.65279%200%203.08658C1.13882e-08%202.33427%200.303597%201.61278%200.844003%201.08082C1.38441%200.548853%202.11736%200.25%202.88161%200.25C3.64586%200.25%204.3788%200.548853%204.91921%201.08082C5.45962%201.61278%205.76321%202.33427%205.76321%203.08658C5.76321%204.65279%204.47214%205.95006%202.88161%205.95006ZM23.9946%2023.8745H19.0296V16.1963C19.0296%2014.3665%2018.9921%2012.0198%2016.4427%2012.0198C13.8557%2012.0198%2013.4593%2014.0079%2013.4593%2016.0645V23.8745H8.48893V8.10162H13.2611V10.2532H13.3307C13.995%209.01393%2015.6177%207.70611%2018.0386%207.70611C23.0743%207.70611%2024%2010.9704%2024%2015.2102V23.8745H23.9946Z'%20fill='%230671C0'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_3867_24588'%3e%3crect%20width='24'%20height='27'%20fill='%234A4D53'%20transform='translate(0%200.25)'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
'%3e%3cpath%20d='M13.957%2014.75L14.668%2010.0848H10.2225V7.05745C10.2225%205.78115%2010.8435%204.53707%2012.8345%204.53707H14.8555V0.565174C14.8555%200.565174%2013.0215%200.25%2011.268%200.25C7.60703%200.25%205.21403%202.48441%205.21403%206.52931V10.0848H1.14453V14.75H5.21403V26.0278H10.2225V14.75H13.957Z'%20fill='%230671C0'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_3867_24590'%3e%3crect%20width='16'%20height='25.7778'%20fill='%234A4D53'%20transform='translate(0%200.25)'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
General Bytes Bitcoin ATMs Targeted in Cyberattack Using Zero-Day Vulnerability
In a striking cyberattack on General Bytes, a prominent Bitcoin ATM manufacturer, attackers exploited a zero-day vulnerability in the company’s software to steal cryptocurrency directly from its Bitcoin ATMs. General Bytes disclosed that the attack leveraged a security gap in their Crypto Application Server (CAS), a software solution managing Bitcoin ATMs remotely. This incident has raised alarm within the cryptocurrency community, highlighting the security risks in decentralized finance and cryptocurrency systems.
Understanding the Attack: Exploiting CAS Vulnerabilities
The CAS software at the heart of the incident allows businesses to manage Bitcoin ATMs (BATMs) from a centralized interface, typically accessed via a desktop or mobile browser. Attackers targeted this system's management interface, using it to create an unauthorized administrator account remotely. By finding the installation page and creating a user with elevated privileges, the attacker gained direct access to the Bitcoin ATMs’ transaction systems.
General Bytes reported that the vulnerability in question has existed in CAS software versions since 2020. However, it only recently became known to the company after this cyberattack. The flaw allowed malicious actors to add a new administrator user by scanning public IP addresses for CAS services, especially those on DigitalOcean's IP address space, where many CAS instances were hosted.
Analyzing the Zero-Day Vulnerability in CAS
A zero-day vulnerability is a previously unknown flaw in software that attackers can exploit before developers patch it. Here, the CAS software’s admin interface presented a critical vulnerability that allowed anyone with access to add a new admin user, bypassing typical authentication and verification protocols. By scanning for open CAS services on ports 443 and 7777, the threat actor could locate vulnerable systems and add a new admin user named “GB,” gaining instant access to the Bitcoin ATMs under that CAS's control.
This attack method underscores the risks associated with centralized control interfaces. When these interfaces have vulnerabilities, any connected device, like a Bitcoin ATM, becomes susceptible to unauthorized access and manipulation.
Immediate Responses and Long-Term Implications for Bitcoin ATMs
In response to the incident, General Bytes issued two new CAS software versions, 20220531.38 and 20220725.22, addressing the zero-day vulnerability and introducing additional security measures to block unauthorized access. The company has advised all CAS users to update to these versions immediately and to review their administrative settings for any unexpected entries.
However, this attack has broader implications. Cryptocurrency infrastructure remains a lucrative target for cybercriminals due to the irreversible nature of transactions, the difficulty of tracking stolen cryptocurrency, and the overall lack of standard security regulations in the decentralized finance space.
Lessons Learned: Strengthening Cryptocurrency Infrastructure Security
1. Regular Security Audits and Patching
Given the serious nature of zero-day vulnerabilities, especially in software controlling financial devices, regular security audits are crucial. This includes testing for vulnerabilities across CAS, encryption protocols, and server interfaces that can serve as attack vectors. Patching software in a timely manner can be challenging, but it is essential to address known issues before attackers can exploit them.
2. Monitoring Access Logs and Administrative Changes
Attackers in this case were able to create an admin user remotely. To detect similar threats, companies can implement monitoring protocols that flag unusual administrative actions, such as creating or modifying users with high-level access.
3. Rethinking Decentralized Security Protocols
While decentralization remains at the core of cryptocurrency, the infrastructure supporting it often relies on centralized software like CAS, which presents a security paradox. Balancing the advantages of decentralized transactions with robust security for centralized management interfaces is crucial.
4. Collaboration with Hosting Providers
General Bytes’ case reveals that attackers used DigitalOcean’s IP space to locate vulnerable CAS servers. By collaborating closely with hosting providers, companies can gain better visibility into access attempts and potential breaches, especially in cloud environments.
Moving Forward: What Bitcoin ATM Operators Can Do
For Bitcoin ATM operators, this incident serves as a wake-up call to reassess security practices and regularly update software to patch vulnerabilities. Additionally, human error often plays a role in successful breaches. Training staff on cybersecurity best practices and understanding common attack vectors can help protect ATMs and their customers from future attacks.
For further insight on training against cybersecurity threats, refer to our Security Awareness Training for Employees.
Editor's Note: This blog was updated on November 15, 2024.
SHARE ON