A Bitcoin ATM company has had its systems compromised by a zero-day exploit which enabled hackers to siphon off an undisclosed amount of the digital currency.
General Bytes noted in a “highest” severity alert on Friday that a zero-day bug in its critical Crypto Application Server (CAS) was to blame for the attack.
“The attacker was able to create an admin user remotely via CAS administrative interface via a URL call on the page that is used for the default installation on the server and creating the first administration user,” the alert revealed.
“This vulnerability has been present in CAS software since version 20201208.”
The Prague-based firm, which claims to be the world’s large maker of cryptocurrency ATMs, said that after creating a new default admin user, the hackers were then able to modify the crypto settings of two-way machines.
“Two-way ATMs started to forward coins to the attacker's wallet when customers sent coins to ATM,” it added.
The firm’s attackers did not manage to access the host operating system, host file system, database or any passwords, password hashes, salts, private keys or API keys. However, it’s unclear how much in customer funds they were able to steal before the attack was discovered.
The CAS server has now been patched with two updates and all clients are urged not to continue operating their ATMs until they have completed a series of remediation steps.
It’s unclear who the attackers were in this case, although General Bytes revealed that the raid occurred three days after it announced a “Help Ukraine” feature on its ATMs.
More concerning is the fact that the bug in question was not identified by the firm in “multiple security audits since 2020.”
Earlier this year the UK’s financial regulator branded any crypto ATMs operating in the UK illegal.