...

Description: The attacker was able to create an admin user remotely via CAS administrative interface via a URL call on the page that is used for the default installation on the server and creating the first administration user. This vulnerability has been present in CAS software since version 20201208. Read more information in the 'What happened' section.

...

1. The attacker identified a security vulnerability in the CAS admin interface.

2. Attacker The attacker scanned the Digital Ocean cloud hosting IP address space and identified running CAS services on ports 7777 or 443. Including , including the General Bytes Cloud service and other GB ATM operators running their servers as on Digital Ocean is a (our recommended cloud hosting provider).

3. Using this security vulnerability, the attacker created a new default admin user, organization, and terminal.

4. The attacker accessed the CAS interface and renamed the default admin user to 'gb'.

5. The attacker modified the crypto settings of a number of two-way machines with and inserted his own wallet settings and addresses into the 'invalid payment addressInvalid Payment Address' setting.

6. Two-way ATMs BATMs started to forward coins to the attacker's wallet when customers sent coins to ATMinvalid payments to BATMs.

All affected Operators have been notified within hours of the breach via all possible routes.

Note: We We’ve concluded multiple security audits since 2020, and none of them identified this vulnerability. Attack came The attack started on the 3rd day after we publicly announced Help Ukraine the “Help Ukraine” feature on ATMsour BATMs.

Help Needed

As a part of the ongoing investigation we would like to ask you to fill out the following form:https://forms.gle/JSDpQweHY4uAQdN5A

...