"Hackers Steal Crypto from Bitcoin ATMs by Exploiting Zero-Day Bug"

Hackers stole cryptocurrency by exploiting a zero-day vulnerability in General Bytes Bitcoin ATM servers. When customers used the ATM to deposit or purchase cryptocurrency, the funds were siphoned off by the hackers. General Bytes is a manufacturer of Bitcoin ATMs, which allow people to buy or sell over 40 different cryptocurrencies. A remote Crypto Application Server (CAS) manages the operation of the Bitcoin ATMs, which cryptocurrencies are supported, and executes cryptocurrency purchases and sales on exchanges. According to the General Bytes advisory, the attacker created an admin user remotely via the CAS administrative interface through a URL call on the page used for the default installation on the server and setting up the first admin user. The threat actors scanned the Internet for exposed servers running on TCP ports 7777 or 443, including servers hosted at Digital Ocean and General Bytes' cloud service. They then used the bug to add a default admin user named 'gb' to the CAS and changed the 'buy' and 'sell' crypto settings, as well as the 'invalid payment address,' to use a cryptocurrency wallet controlled by the hacker. After the threat actors changed these settings, any cryptocurrency received by CAS was instead forwarded to the hackers. Customers are advised not to use their Bitcoin ATMs until two server patch releases, 20220531.38 and 20220725.22, have been applied to their servers. This article continues to discuss the theft of cryptocurrency through the exploitation of a zero-day bug in General Bytes Bitcoin ATM servers.

Bleeping Computer reports "Hackers Steal Crypto from Bitcoin ATMs by Exploiting Zero-Day Bug"