CoinATMRadar makes it 8.827 bitcoin ATMs installed by the producer General Bytes, second largest worldwide …
According to reports and General Bytes themselves (see referenced links below), hackers have managed to steal crypto from bitcoin ATM users by exploiting a zero-day vulnerability present in General Bytes Servers.
The second link below (18/08/2022) states that:
Description: The attacker was able to create an admin user remotely via CAS administrative interface via a URL call on the page that is used for the default installation on the server and creating the first administration user. This vulnerability has been present in CAS software since version 20201208.
This means that hackers were able to create an admin account on some of the CAS (Crypto Application Server), and then modify the parameters related to the addresses on the buy and sell configuration sections, thus diverting crypto TX funds to themselves. I presume each corporation that has one or more of GB ATMs runs their own instance of a CAS.
GB asks for GB ATMs to be non-operational until a set of two server patches have been applied (20220531.38 and 20220725.22.). Furthermore, they ask operators to check their firewall settings to allow access only from known IPs (i.e. offices, homes and ATMs I presume).
In addition, apparently:
1. The attacker didn't gain access to the host operation system.
2. The attacker didn't gain access to the host file system.
3. The attacker didn't gain access to the database.
4. The attacker didn't gain access to any passwords, password hashes, salts, private keys or API keys.
BleepingComputer’s article references
a source that seemingly indicates that there are still 18 vulnerable CAS, essentially in Canada. Nevertheless, the link to the source is no longer rendering results, and I wouldn’t be sure that the info is not local and focusing on Canada alone to begin with. Other than that, there is no info on the extent.
For bitcoin ATM users, it would be a seemingly good idea to check with the support of those ATMs corporations hosting GB bitcoin ATMs whether they’ve applied the said patches, before using GB ATMs is the coming days (supposing that is the definite solution to the exploit).
Anyone had any issued of the kind with GB ATMs for the last few days (or them being off-line presumably due to these events)?
See:
https://www.bleepingcomputer.com/news/security/hackers-steal-crypto-from-bitcoin-atms-by-exploiting-zero-day-bug/https://generalbytes.atlassian.net/wiki/spaces/ESD/pages/2785509377/Security+Incident+August+18th+2022