Cyber Incident Victim: General Bytes

In August 2022, Bitcoin ATM manufacturer General Bytes disclosed a cyberattack exploiting a zero-day vulnerability in its Crypto Application Server (CAS) software, which facilitated the theft of cryptocurrency from its users. The flaw, present in CAS versions released since December 8, 2020, allowed attackers to remotely create an administrative user via the CAS administrative interface by exploiting a URL call intended for initial server setup. Threat actors identified vulnerable CAS instances by scanning DigitalOcean cloud IP addresses for services running on ports 7777 or 443. Upon successful exploitation, they added a default admin user named "gb" to compromised systems. This unauthorized access enabled the modification of cryptocurrency settings on two-way ATMs, redirecting customer transactions to attacker-controlled wallets. The incident occurred three days after General Bytes publicly announced a "Help Ukraine" feature on its ATMs, though no direct link between the two events was confirmed.

General Bytes responded by releasing two server patches to mitigate the vulnerability and reported the incident to Czech law enforcement. The attackers specifically altered ATM configurations to intercept funds when customers attempted to send coins to the machines, exploiting the "invalid payment address" setting. While the initial disclosure did not specify the total impact, a subsequent advisory cited operator-reported losses of $16,000. The company noted that multiple security audits conducted since 2020 had failed to identify the vulnerability prior to exploitation. No details regarding the number of breached servers or broader cryptocurrency losses beyond the confirmed $16,000 were provided in the available information.