General Bytes released a security alert on Friday concerning a zero-day bug detected in its Crypto Application Server (CAS). The Bitcoin ATM company explained how the exploit allowed hackers to steal an undisclosed amount of the digital currency. The advisory states that the attacker was able to create an admin user remotely by exploiting the zero-day vulnerability. General Bytes confirmed that this occurred due to the CAS administrative interface through a URL call located on the page, which was used for the default installation on the server and the administrative privileges.
The company is based in Prague and claims to be one of the world’s leaders in cryptocurrency ATMs. After giving themselves admin powers, the hackers were able to modify the cryptocurrency settings of the machines and siphon money. The attackers have not been identified by General Bytes and reportedly did not access the host operating system, file system, database, or passwords. The amount of funds stolen during the attack remains unclear. The CAS server has since been patched and those operating ATMs should complete a series of remediation steps before reopening the machines.
Read More: Hackers Target ATM Maker for Bitcoins