Versions Compared

Old Version 13

changes.mady.by.user Charles Wernicke

Saved on

compared with

New Version 14

changes.mady.by.user Charles Wernicke

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Note

Please ensure you implement all other steps - not just the server upgrade installation.

...

Specific steps for Standalone Operators:

  1. Stop admin and master service.

  2. Upgrade your server to 20220725.22. For customers running on 20220531, we also back-ported the fix to patch release 20220531.38.

    1. How to update your CAS server: https://generalbytes.atlassian.net/l/cp/uDWwYSuQ

  3. Modify your server firewall settings. Ensure that your CAS admin interface running on TCP ports 7777 or 443 is only accessible from IP addresses you trust - like your office or your homes.

    1. Firewall configuration guide: https://generalbytes.atlassian.net/l/cp/ikf0h0Ld

  4. Start admin service.

  5. Enter CAS interface and deactivate all your terminals to prevent any sales on machines. Alternatively, you can deactivate only two-way machines.

  6. Review all your CAS users. And , their permissions, and groups.

    1. Make sure only users that you trust have administration rights.

  7. Review that the attacker added no terminals. If you were breached, you might find BT123456.

  8. Activate the terminals.

  9. In case you were breached, review admin.log, where you might find a user called 'gb' listed. If so, please delete any such user. Also, check all CAS user's email addresses on personsmore details on the attacker's activity. Search for activity around the message "Server activated."

Steps for ALL Operators:

  1. Review all your CAS users, their permissions, and groups.

    1. Delete any unrecognized users.

    2. Check all CAS users' email addresses (in Persons).

  2. Reset all user passwords . (except your own).

  3. Review your Crypto Settings.

    1. Make sure you run the Crypto Settings tests to verify that your crypto addresses and strategies are correct.

    2. The attacker might have changed your SELL Crypto Settings to receive coins from customers into his wallet.

  4. Review that the attacker added no terminals. If you were breached, you might find BT123456.

  5. Activate the terminals.

  6. In case you were breached, review admin.log, where you might find more details on the attacker's activity. Search for activity around the message "Server activated."Activate your terminals.

What didn't happen

  1. The attacker didn't gain access to the host operation system.

  2. The attacker didn't gain access to the host file system.

  3. The attacker didn't gain access to the database.

  4. The attacker didn't gain access to any passwords, password hashes, salts, private keys or API keys.

...