A zero-day vulnerability was exploited on Thursday leading to a global shutdown of ATM networks and losses of at least 10 BTC.
The second largest Bitcoin(BTC) ATM manufacturer GeneralBytes confirmed the exploit of a server vulnerability that lead to downtime and theft of Bitcoin(BTC) on some of their machines.
Users on Twitter reported ATMs were unavailble for hours:
This is on of largest Bitcoin(BTC) ATM hacks known to date both in terms of stolen funds and overall scope.
Operators were advised to halt operation immediately and wait for a security patch to be pushed out to fix the issue on Thursday evening 7.35 PM local time.
According to sources close to BitcoinNews.com at least 10 BTC were stolen from the attackers.
The attack exploited a vulnerability which existed for and stayed unnoticed. The attackers were able to identify the ports and IP addresses of the ATM cloud server and change admin user credentials. With this trick they were able to alter key information such as funding addresses ATM users use to deposit Bitcoin(BTC) if they sell Bitcoin(BTC) for cash at the ATM.
The hackers also implemented a fake donation button that showed a Ukraine flag and showed a popup window asking for donations to buy military equipment.
BitcoinNews.com reached out to operators and one operator commented how he was dealing with the problem:
“Pretty bad, cancelled all meetings and going out and focused on bringing it back online. In all servers I had new terminals created to make fake buys and drain the wallets. And the invalid payment addresses and sell settings in CAS were redirecting to the attackers addresses. Also there were new admin rights users created. Even in the cloud server that GB runs they couldn’t stop it from making all the changes so they disabled the machines and now they are locked. I didn’t even know they [GB] could do that.
On Thursday 7.35 PM European Time, the company shared an alert in its telegram group for operators to inform 416 subscribers which are assumed to be clients and operators.
“IMPORTANT: We are sorry to inform you that 30minutes ago security issue has been identified in our CAS admin service which allows attacker to create a CAS user with administrative rights and therefore modify terminal cryptosettings for example by setting invalid payment address cryptosetting or setting his own sell wallet.”
“DO NOT continue to operate your GB ATM server unless you have implemented the solution described below!” operators were informed immediately after the attack had begun.
As ad-hoc security patch, the immediate recommendation suggested by GeneralBytes was to implement a firewall and whitelist the operator’s own IP address. This is security standard operators should follow regardless.
“We recommend you to:
0. Immediately limit access to your CAS admin on firewall only for your IP addresses (for example home or office).
1. Review list of the CAS users on your server and make sure no new user is on your CAS server and check their permissions.
2. Review your cryptocurrency crypto-settings by executing cryptosetting tests.
3. Contact GB support if you need any assistance. Make sure you mention your server version.
4. If you don’t know how to change your firewall settings shutdown your admin and master service until the patch is provided.
We will inform you once we have more information.”
Were instructions sent directly to operators.
The incident caused outage of General Bytes ATMs around the world as operators were working to control and limit further damage. Turning the ATM off entirely was the only way to prevent further transactions from happening while work on resetting and re-installing the servers was undertaken in order to fix the issue.
GeneralBytes, headquartered in Czech Republic, shared more details about the vulnerability two days later:
What happened
- The attacker identified a security vulnerability in the CAS admin interface.
- Attacker scanned Digital Ocean cloud hosting IP address space and identified running CAS services on ports (redacted). Including General Bytes Cloud service and other GB ATM operators running their servers as Digital Ocean is a recommended cloud hosting provider.
- Using this security vulnerability, the attacker created a new default admin user, organization, and terminal.
- The attacker accessed the CAS interface and renamed the default admin user to ‘redacted’
- The attacker modified the crypto settings of two-way machines with his wallet settings and the ‘invalid payment address’ setting.
- Two-way ATMs started to forward coins to the attacker’s wallet when customers sent coins to ATM.
General Bytes excelled with growth rates and lead the track of newly installed ATMs in July with 307 newly installed terminals, a 4% growth. Whether the news of the hack will help or hinder General Bytes future growth will be decided by customers, a positive for existing clients and operators is that at least the vulnerability has been found and fixed by now.