Security Incident August 18th 2022

Description

Severity: Highest

Description: The attacker was able to create an admin user remotely via CAS administrative interface via a URL call on the page that is used for the default installation on the server and creating the first administration user. This vulnerability has been present in CAS software since version 20201208. Read more information in the 'What happened' section.

2-way BATMs hosted on the GB Cloud have been deactivated as a security precaution.

  • Please verify/confirm your BUY and SELL Crypto Settings, then

  • activate any affected (deactivated) Terminals.

DO NOT continue to operate your GB ATM server unless you have implemented the solution described below!


Solution

CAS security fix is provided in two server patch releases, 20220531.38 and 20220725.22.

Please ensure you implement all other steps - not just the server upgrade installation.

Specific steps for Standalone Operators:

  1. Stop admin and master service.

  2. Upgrade your server to 20220725.22. For customers running on 20220531, we also back-ported the fix to patch release 20220531.38.

    1. How to update your CAS server: https://generalbytes.atlassian.net/l/cp/uDWwYSuQ

  3. Modify your server firewall settings. Ensure that your CAS admin interface running on TCP ports 7777 or 443 is only accessible from IP addresses you trust - like your office or your homes.

    1. Firewall configuration guide: https://generalbytes.atlassian.net/l/cp/ikf0h0Ld

  4. Start admin service.

  5. Enter CAS interface and deactivate all your terminals to prevent any sales on machines. Alternatively, you can deactivate only two-way machines.

  6. Review all your CAS users, their permissions, and groups.

    1. Make sure only users that you trust have administration rights.

  7. Review that the attacker added no terminals. If you were breached, you might find BT123456. Delete any unrecognized Terminals (not just BT123456).

  8. Activate the terminals.

  9. In case you were breached, review admin.log, where you might find more details on the attacker's activity. Search for activity around the message "Server activated."

Steps for ALL Operators:

  1. Review all your CAS users, their permissions, and groups.

    1. Delete any unrecognized users.

    2. Check all CAS users' email addresses (in Persons).

  2. Reset all user passwords (except your own).

  3. Review your Crypto Settings.

    1. Make sure you run the Crypto Settings tests to verify that your crypto addresses and strategies are correct.

    2. The attacker might have changed your SELL Crypto Settings to receive coins from customers into his wallet.

  4. DELETE any unrecognized or unpaired Terminals.

  5. Activate VERIFIED terminals.

What didn't happen

  1. The attacker didn't gain access to the host operation system.

  2. The attacker didn't gain access to the host file system.

  3. The attacker didn't gain access to the database.

  4. The attacker didn't gain access to any passwords, password hashes, salts, private keys or API keys.

What happened

  1. The attacker identified a security vulnerability in the CAS admin interface.

  2. The attacker scanned the Digital Ocean cloud hosting IP address space and identified running CAS services on ports 7777 or 443, including the General Bytes Cloud service and other GB ATM operators running their servers on Digital Ocean (our recommended cloud hosting provider).

  3. Using this security vulnerability, the attacker created a new default admin user, organization, and terminal.

  4. The attacker accessed the CAS interface and renamed the default admin user to 'gb'.

  5. The attacker modified the crypto settings of a number of two-way machines and inserted his own wallet addresses into the 'Invalid Payment Address' setting.

  6. Two-way BATMs started to forward coins to the attacker's wallet when customers sent invalid payments to BATMs.

 

All affected Operators have been notified within hours of the breach via all possible routes.

Note: We’ve concluded multiple security audits since 2020, and none of them identified this vulnerability. The attack started on the 3rd day after we publicly announced the “Help Ukraine” feature on our BATMs.

Help Needed

As a part of the ongoing investigation we would like to ask you to fill out the following form:https://forms.gle/JSDpQweHY4uAQdN5A

 

Updates

Last update 22.8.2022 16:00 Prague time.

19.8.2022 12:33 - Updated help needed section.

22.8.2022 15:00 - Incident was reported to Czech Police. Total damage caused to ATM operators based on their feedback is 16 000 USD.

Sept 2, 2022: We received a report from a BATM operator that claims he lost coins from his BUY wallet. We believe that this Operator upgraded his server to the patched version - but forgot to delete the unpaired Terminal that the attacker created while he had access to the server. Please (again) review all users that are listed in your CAS - and revoke access to the ones that you are unsure of. Also DELETE ALL unpaired terminals - so the attacker cannot connect his own terminal to your server. Also delete all terminals on your server that might be paired but are not yours.