DO NOT continue to operate your General Bytes ATM server (CAS) unless you have implemented the solution described below!
Severity: HighestDescription: The attacker was able to upload his own java application remotely via the master service interface used by terminals to upload videos and run it using batm user privileges.
This resulted in:
Ability to access the database.Ability to read and decrypt API keys used to access funds in hot wallets and exchanges.Send funds from hot wallets.Download user names, their password hashes and turn off 2FA.Ability to access terminal event logs and scan for any instance where customers scanned private key at the ATM. Older versions of ATM software were logging this information.
GENERAL BYTES is shuttering it’s Cloud service.
It is theoretically (and practically) impossible to secure a system granting access to multiple operators at the same time where some of them are bad actors. You’ll need to install your own Standalone server. GB support will provide you with help you to migrate your data from the GB Cloud to your own Standalone server.
Please keep your CAS behind a firewall and VPN. Terminals should also connect to CAS via VPN. With VPN/Firewall attackers from open internet cannot access your server and exploit it. If your server was breached please reinstall the whole server including operation system.
Additionally consider your all user’s passwords, and API keys to exchanges and hot wallets to be compromised. Please invalidate them and generate new keys & password.
The CAS security fix is provided in two server patch releases, 20221118.48 and 20230120.44.
Please ensure you implement all other steps – not just the server upgrade installation.
Steps for ALL Operators:
Review all your CAS users, their permissions, and groups, and delete any unrecognized users.Check all CAS users’ email addresses (in Persons) and reset all user passwords (except your own) as a precautionary measure.Review your Crypto Settings and run the Crypto Settings tests to verify that your crypto addresses and strategies are correct. The attacker may have changed your SELL Crypto Settings to receive coins from customers into his wallet, so it’s important to double-check and make sure everything is as it should be.Delete any unrecognized or unpaired terminals.Activate only the verified terminals.Set up a VPN connection to the terminals to ensure secure communication.
Taking these steps can help protect your system from any potential vulnerabilities and mitigate the risks of future attacks.
Specific steps for Standalone Operators:
Stop the admin and master service and wait until the patch release is available.If your BATM server was breached, reinstall it, including the operating system, to ensure that there is no code left by the attacker on your server. Standalone CAS CLI InstallationUpgrade your server to the latest version, which is 20230120.44. If you are currently running version 20221118, you can also apply the fix by upgrading to patch release 20221118.48. Do not start the server until after the upgrade is complete. https://generalbytes.atlassian.net/l/cp/uDWwYSuQUpdate your CAS server by modifying your server firewall settings to ensure that your CAS admin interface running on TCP ports 7777 or 443 is only accessible from IP addresses you trust, such as your office or home. Refer to the firewall configuration guide for assistance. https://generalbytes.atlassian.net/l/cp/ikf0h0LdMove your terminals and server behind a VPN and make sure the master service interface (port 7741) is accessible only by terminals behind the VPN. CAS Admin via VPN Terminal VPN & Security | Terminal VPNDeactivate all your terminals in the CAS interface to prevent any sales on machines. Alternatively, you can deactivate only two-way machines.Review all your CAS users, their permissions, and groups, and make sure that only users you trust have administration rights.Check whether the attacker added any terminals and remove them if necessary.Activate the terminals.If you were breached, review the admin.log file to find more details on the attacker’s activity.