...
Stop admin and master service.
Upgrade your server to 20220725.22. For customers running on 20220531, we also back-ported the fix to patch release 20220531.38.
How to update your CAS server: https://generalbytes.atlassian.net/l/cp/uDWwYSuQ
Modify your server firewall settings. Ensure that your CAS admin interface running on TCP ports 7777 or 443 is only accessible from IP addresses you trust - like your office or your homes.
Firewall configuration guide: https://generalbytes.atlassian.net/l/cp/ikf0h0Ld
Start admin service.
Enter CAS interface and deactivate all your terminals to prevent any sales on machines. Alternatively, you can deactivate only two-way machines.
Review all your CAS users, their permissions, and groups.
Make sure only users that you trust have administration rights.
Review that the attacker added no terminals. If you were breached, you might find BT123456. Delete any unrecognized Terminals (not just BT123456).
Activate the terminals.
In case you were breached, review admin.log, where you might find more details on the attacker's activity. Search for activity around the message "Server activated."
...