A Bitcoin ATM company recently fell victim to a zero-day exploit, resulting in hackers being able to steal an undisclosed amount of digital currency. General Bytes, a leading maker of cryptocurrency ATMs, issued a severe alert stating that the attack was made possible by a zero-day bug in its Crypto Application Server (CAS).
According to the alert, the hackers were able to remotely create an admin user through the CAS administrative interface using a URL call on the default installation page of the server. This vulnerability has apparently been present in the CAS software since version 20201208. Once the hackers created a new admin user, they were able to manipulate the crypto settings of two-way ATMs, causing the machines to send coins to the attackers’ wallet instead of the intended recipient.
Fortunately, the hackers did not gain access to the host operating system, file system, database, passwords, or any sensitive information such as private keys or API keys. However, the extent of the funds stolen by the attackers remains unknown. General Bytes has since released two patches for the CAS server and has advised all clients to halt ATM operations until they have implemented the necessary security measures.
The identity of the attackers remains unknown, although the attack occurred shortly after General Bytes introduced a “Help Ukraine” feature on its ATMs. What is even more alarming is that the bug in question went unnoticed during multiple security audits conducted by the company since 2020.
In a related development, the UK’s financial regulator has declared crypto ATMs operating in the UK as illegal earlier this year. This further highlights the risks associated with cryptocurrency transactions and the importance of robust security measures to protect digital assets.