Join our telegram channel to stay updated on latest developments and company announcements.

...

1. Investigate your master.log and admin.log files and look for time gaps that your server wasn’t logging anything. Typically you will only see one day of events. The attacker was deleting these logs to conceal his activity. This is a certain indicator of attack.

2. Look for suspicious content in /batm/app/admin/standalone/deployments/
   root@batmserver:/batm# ls -la /batm/app/admin/standalone/deployments/ total 148352 drwx------ 2 batm batm 4096 Mar 17 23:53 . drwx------ 8 batm batm 4096 Mar 10 12:49 .. -rw------- 1 batm batm 69125138 Mar 10 12:47 batm_server_admin.war -rw-r--r-- 1 batm batm 21 Mar 10 12:47 batm_server_admin.war.deployed -rw-r--r-- 1 batm batm 5818 Mar 17 23:53 hvqyhl.war -rw-r--r-- 1 batm batm 10 Mar 17 23:53 hvqyhl.war.deployed-rw------- 1 batm batm 1007502 Jul 15 2019 mysql-connector-java-5.1.47.jar -rw-r--r-- 1 batm batm 31 Jul 15 2019 mysql-connector-java-5.1.47.jar.deployed -rw-r--r-- 1 batm batm 10 Mar 17 22:30 nheyww.war.undeployed -rw-r--r-- 1 batm batm 10 Mar 17 22:33 nsumys.war.undeployed -rw-r--r-- 1 batm batm 10 Mar 17 22:38 qosxtf.war.undeployed -rw------- 1 batm batm 8888 Jul 2 2019 README.txt -rw------- 1 batm batm 81691033 Mar 10 12:49 server_admin_api.war -rw-r--r-- 1 batm batm 20 Mar 10 12:49 server_admin_api.war.deployed -rw-r--r-- 1 batm batm 10 Mar 17 23:07 txnotd.war.undeployed -rw-r--r-- 1 batm batm 10 Mar 17 22:43 uabcxo.war.undeployed -rw-r--r-- 1 batm batm 10 Mar 17 22:36 varwda.war.undeployed -rw-r--r-- 1 batm batm 10 Mar 17 22:34 wgzooh.war.undeployed -rw-r--r-- 1 batm batm 10 Mar 17 22:37 wljtmq.war.undeployed root@batmserver:/batm#

   Files marked in red were created by attacker. Filenames on your server may differ.

3. Please understand that even if you don’t have any of these files on file system it doesn’t mean that you were not hacked. An empty admin.log and master.log is the primary indicator.

...

Taking these steps can help protect your system from any potential vulnerabilities and mitigate the risks of future attacks.

Moving data from old server

1. Use batm-manage backup mechanism to create backup archive. Server Migration batm-manage: the CAS CLI Toolkit

2. Transfer from backup only following files as they don’t contain executable code:
   batm_server_db.sql.gz - contains database.
   batm_server_data.tar.gz - contains data files.
   batm_server_config.tar.gz - contains configuration.
   SHA256SUMS - file containing hashes of files above. Edit file to remove line with files that you didn’t transfer.

3. Use batm-manage restore command

4. Make sure you reset user passwords incl 2FA, verify terminals and perform other steps defined in “Steps for ALL Operators” section of this page.
   

What happened

1. The attacker identified a security vulnerability in the master service interface used by Bitcoin ATMs to upload videos to server.

2. The attacker scanned the Digital Ocean cloud hosting IP address space and identified running CAS services on ports 7741, including the General Bytes Cloud service and other GB ATM operators running their servers on Digital Ocean (our recommended cloud hosting provider).

3. Using this security vulnerability, attacker uploaded his own application directly to application server used by admin interface. Application server was by default configured to start applications in its deployment folder.

...

123.204.4.202

172.104.237.25

172.104.237.25.247.165

212.58.102.201

Help Needed

As a part of the ongoing investigation we would like to ask you to fill out the following form: https://forms.gle/yPVjMnyvDxYg8jXS7

...

NOTE: Security review will require your physical presence at our Prague offices as we insist on preforming security review with real physical machines.

Updates

Last update: 1923.03.2023 1012:04 42 Prague time

23.03.2023 12:42 Added section Moving data from old server and more attacker’s ip addresses.

22.03.2023 11:13 Added link on telegram channel. Added links to patch releases.

...