Bitcoin ATM bug let thieves siphon off crypto withdrawals
A zero-day in an ATM allowed thieves to divert the tokens to their wallets
A security vulnerability in a series of bitcoin ATM machines allowed cybercriminals to steal valuable tokens from users, it has been revealed.
In an announcement, General Bytes, the maker of the ATMs in question, said that unknown threat actors discovered a zero-day vulnerability in the devices and used it to siphon cryptocurrencies from user accounts.
As the company explained, these ATMs are controlled by a remote Crypto Application Server (CAS), and whoever was behind the theft found a hole in the CAS.
"The attacker was able to create an admin user remotely via CAS administrative interface via a URL call on the page that is used for the default installation on the server and creating the first administration user," General Bytes said. "This vulnerability has been present in CAS software since version 20201208."
Diverting the coins
After that, whenever someone tried to deposit or withdraw cryptocurrency using the ATM, the funds would simply be diverted to a wallet belonging to the hackers.
"Two-way ATMs started to forward coins to the attacker's wallet when customers sent coins to ATM," the company further explained.
The company was tipped off by a user whose funds had been stolen. It is unclear how many people were affected by the flaw, or how much in cryptocurrencies the thieves managed to steal.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Since then, though, a patch has been released. The company has updated the CAS to versions 20220531.38 and 20220725.22 and urged ATM service providers to pull the devices out until they apply the patch. Most of the unpatched devices, roughly two dozen of them, are located in Canada, it was said.
Furthermore, as BleepingComputer reported, the attack would not have been possible in the first place, had the servers been firewalled to only allow trusted IP addresses to establish a connection.
- Shield against threat actors with the best identity theft protection services
Via BleepingComputer
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.