Exploiting Zero-Day Vulnerability – The Crypto Edition

Exploiting software flaws has become a trend among cybercriminals nowadays. In fact, companies all over the world are still suffering from one of the biggest vulnerabilities known to date – Log4Shell. That aside, a new flaw was made public by General Bytes as the Bitcoin ATM manufacturer confirmed that hackers have successfully plundered cryptocurrency from its users.

Threat actors are always on the lookout for such flaws to practice their malicious activities. And when something like CAS (Crypto Application Server) – a self-hosted product from General Bytes – shows a single vulnerability, rest assured it’s going to be targeted.

The unnamed hackers clearly know what they’re doing. But we have to ask: How many servers did they breach? How much crypto did they steal? We’ve discussed everything below.

General Bytes Breach – A Simple Vulnerability, A Huge Crypto Heist

As we mentioned, exploiting vulnerabilities has become a successful form of attack for threat actors. Emphasis on “successful” as they were able to get a lot out of these practices in the past.

No software is perfect, that’s why updates are issued every now and then. From companies like Uber to WhatsApp, every one of them has previously had flaws. In the end, these vulnerabilities cost them a lot.

While the aforementioned flaws did a lot of damage, the one at hand can do so much more. Well, they’re stealing crypto – how much bigger can it get?

General Bytes provides its customers (companies) with a convenient service called CAS. It allows them to easily manage Bitcoin ATMs from a central location via a web browser on a desktop or a mobile device.

The flaw is a bug in the CAS admin interface, which the attackers used to add a new default admin user named “gb” to the CAS.

That of course happened after they scanned the DigitalOcean cloud hosting IP address space to identify running CAS services on ports 7777 or 443. According to General Bytes:

“The attacker was able to create an admin user remotely via CAS administrative interface via a URL call on the page that is used for the default installation on the server and creating the first administration user.

The attacker modified the crypto settings of two-way machines with his wallet settings and the ‘invalid payment address’ setting,” it said. “Two-way ATMs started to forward coins to the attacker’s wallet when customers sent coins to [the] ATM.”

An attack with such a caliber can do a lot of damage. Crypto-currency is pretty popular now and it’s expensive. When an attacker can tap into that, victims tend to lose a lot in the process. Probably their life earnings.

General Bytes Breach – An Attack They Never Foresaw

The company states that its service has gone through security audits back in 2020. However, the flaw didn’t show up back then.

Moreover, it claimed that the attack directly occurred after the “Help Ukraine” feature announcement – coincidence?

Do we have a suspect? We’ll just leave the assumption to you and the investigation to General Bytes. If you’re one of the affected victims, make sure to take all the precautions needed.