Czech Republic-based Bitcoin ATM maker General Bytes has suffered a cybersecurity incident, which saw threat actors made of with cryptocurrency stolen through the exploitation of a previously unknown vulnerability in General Bytes Bitcoin ATM servers.
The company revealed in a blog post that the intruders identified running CAS services through scanning the Digital Ocean cloud hosting IP address space, and then exploited the zero-day vulnerability in CAS administrative interface to create a default admin user.
The threat actors then modified the crypto settings of a number of two-way machines and inserted their own wallet addresses into the 'Invalid Payment Address' setting, so the BATMs started to forward coins to the attacker's wallet when customers sent invalid payments to BATMs.
The company also noted that the attacks against its ATMs began three days after the BATM manufacturer announced “Help Ukraine” feature to its machines at the beginning of August.
According to General Bytes, the vulnerability has been present in CAS software since version 20201208, but has been addressed by the vendor with the release of server patch releases, 20220531.38 and 20220725.22.
“We’ve concluded multiple security audits since 2020, and none of them identified this vulnerability,” the company added.