Bitcoin ATM manufacturer General Bytes confirmed that it was a victim of a cyberattack that exploited a previously unknown flaw in its software to plunder cryptocurrency from its users.
It’s not immediately clear how many servers were breached using this flaw and how much cryptocurrency was stolen.
CAS is short for Crypto Application Server, a self-hosted product from General Bytes that enables companies to manage Bitcoin ATM (BATM) machines from a central location via a web browser on a desktop or a mobile device.
The zero-day flaw, which concerned a bug in the CAS admin interface, has been mitigated in two server patch releases, 20220531.38 and 20220725.22.
General Bytes said the unnamed threat actor identified running CAS services on ports 7777 or 443 by scanning the DigitalOcean cloud hosting IP address space, followed by abusing the flaw to add a new default admin user named “gb” to the CAS.
In other words, the goal of the attack was to modify the settings in such a manner that all funds would be transferred to a digital wallet address under the adversary’s control.
