You wouldn’t know this from visiting the company’s main website, but General Bytes, a Czech company that sells bitcoin ATMs, urges its users to fix a critical bug that drains money in its server software.
The company claims worldwide sales of more than 13,000 ATMs, which cost $5,000 and more, depending on features and appearance.
Not all countries have appreciated cryptocurrency ATMs – the British regulator, for example, warned in March 2022 that none of the ATMs operating in the country at the time were officially registered, and said it would be “contact the operators to order the stopping of the machines”.
We went to check on our local encrypted ATM at the time and found it displaying a “Terminal Offline” message. (The device has since been removed from the mall where it was installed.)
Nonetheless, General Bytes claims to serve customers in more than 140 countries, and its global map of ATM locations shows a presence on every continent except Antarctica.
Reported Security Incident
According to the General Bytes product knowledge base, a “security incident” with a severity level of The highest was discovered last week.
In the company’s own words:
The attacker was able to create an administrator user remotely through the CAS administration interface via a URL call to the page used for the default installation on the server and create the first administration user.
As much as we can say, CASE is the abbreviation of Coin operated ATM serverand every General Bytes cryptocurrency ATM operator needs it.
You can host your CAS wherever you want, it seems, including on your own hardware in your own server room, but General Bytes has a special deal with hosting company Digital Ocean for a low-cost cloud solution. . (You can also let General Bytes run the server for you in the cloud in exchange for a 0.5% discount on all cash transactions.)
According to the incident report, the attackers performed a port scan of Digital Ocean’s cloud services, looking for listening web services (ports 7777 or 443) that identified themselves as General Bytes CAS servers, in order to find a list of potential victims.
Note that the vulnerability exploited here was not due to Digital Ocean or limited to cloud-based CAS instances. We assume the attackers simply decided that Digital Ocean was a good place to start looking. Remember that with a very high speed Internet connection (e.g. 10Gbps) and using freely available software, determined attackers can now scan the entire Internet IPv4 address space in a matter of seconds. hours or even minutes. This is how public vulnerability search engines like Shodan and Censys work, continually scouring the Internet to find out which servers and versions are currently active at which online locations.
Apparently, a vulnerability in the CAS itself allowed attackers to manipulate the victim’s cryptocurrency services settings, including:
- Adding a new user with administrative privileges.
- Use this new administrator account to reconfigure existing ATMs.
- Divert all invalid payments to a portfolio of their own.
As far as we can tell, this means that the attacks carried out were limited to transfers or withdrawals where the customer made a mistake.
In such cases, it seems, instead of the ATM operator retrieving the misdirected funds so that they can then be refunded or properly redirected…
…the funds would go directly and irreversibly to the attackers.
General Bytes did not specify how this flaw came to its attention, although we imagine that any ATM operator faced with a support call regarding a failed transaction would quickly notice that their service parameters had been tampered with and give the alarm.
Indicators of Compromise
The attackers, it seems, left behind various telltale signs of their activity, so that General Bytes was able to identify many so-called Indicators of Compromise (IoC) to help their users identify hacked CAS configurations.
(Remember, of course, that the absence of IoCs does not guarantee the absence of attackers, but known IoCs are a practical starting point when it comes to detecting and responding to threats.)
Fortunately, perhaps due to the fact that this exploit relied on invalid payments, rather than allowing attackers to directly empty ATMs, the overall financial losses in this incident do not run into the often multi-million dollar amounts. associated with cryptocurrency errors.
General Bytes Claimed Yesterday [2022-08-22] that the “[i]the incident was reported to the Czech police. The total damage caused to the ATM operators based on their comments amounts to US$16,000.
The company also automatically deactivated all ATMs it operated on behalf of its customers, requiring those customers to log in and review their own settings before reactivating their ATM devices.
What to do?
General Bytes has listed an 11-step process for its customers to follow to resolve this issue, including:
- Patch the CAS server.
- Review firewall settings to restrict access to as few network users as possible.
- Disabling ATM terminals so that the server can be reactivated for examination.
- Review of all parametersincluding any dummy terminals added.
- Reactivation of terminals only after completing all Threat Hunting stages.
This attack, by the way, is a strong reminder of why the response to contemporary threats it’s not just about patching the holes and removing the malware.
In this case, the criminals did not implant any malware: the attack was orchestrated simply through malicious configuration changes, leaving the underlying operating system and server software untouched.
Not enough time or staff?
Learn more about Detection and response managed by Sophos:
Search, detect and respond to threats 24/7 ▶
Featured image of Bitcoins imagined via Unsplash license.