1. Forum
  2. tqwNet
  3. TQW_GENTECH

  • Bitcoin ATM bug let thieves siphon off crypto withdrawals

    From TechnologyDaily@1337:1/100 to All on Mon Aug 22 20:15:03 2022
    Bitcoin ATM bug let thieves siphon off crypto withdrawals

    Date:
    Mon, 22 Aug 2022 19:05:04 +0000

    Description:
    A zero-day in an ATM allowed thieves to divert the tokens to their wallets.

    FULL STORY ======================================================================

    A security vulnerability in a series of bitcoin ATM machines allowed cybercriminals to steal valuable tokens from users, it has been revealed.

    In an announcement, General Bytes, the maker of the ATMs in question, said that unknown threat actors discovered a zero-day vulnerability in the devices and used it to siphon cryptocurrencies from user accounts.

    As the company explained, these ATMs are controlled by a remote Crypto Application Server (CAS), and whoever was behind the theft found a hole in
    the CAS.

    "The attacker was able to create an admin user remotely via CAS
    administrative interface via a URL call on the page that is used for the default installation on the server and creating the first administration user," General Bytes said. "This vulnerability has been present in CAS software since version 20201208." Diverting the coins

    After that, whenever someone tried to deposit or withdraw cryptocurrency
    using the ATM, the funds would simply be diverted to a wallet belonging to
    the hackers.

    "Two-way ATMs started to forward coins to the attacker's wallet when
    customers sent coins to ATM," the company further explained.

    The company was tipped off by a user whose funds had been stolen. It is unclear how many people were affected by the flaw, or how much in cryptocurrencies the thieves managed to steal. Read more

    Australia gets its first Bitcoin ATM




    Bitcoin cash machine pops up in Tech City, offering digital dough for
    banknotes

    Since then, though, a patch has been released. The company has updated the
    CAS to versions 20220531.38 and 20220725.22 and urged ATM service providers
    to pull the devices out until they apply the patch. Most of the unpatched devices, roughly two dozen of them, are located in Canada, it was said.

    Furthermore, as BleepingComputer reported, the attack would not have been possible in the first place, had the servers been firewalled to only allow trusted IP addresses to establish a connection. Shield against threat actors with the best identity theft protection services

    Via BleepingComputer



    ======================================================================
    Link to news story: https://www.techradar.com/news/bitcoin-atm-bug-let-thieves-siphon-off-crypto-w ithdrawals/


    --- Mystic BBS v1.12 A47 (Linux/64)
    * Origin: tqwNet Technology News (1337:1/100)