Security Incident March 17-18th 2023

Join our telegram channel to stay updated on latest developments and company announcements.

Description

Severity: Highest

Description: The attacker was able to upload his own java application remotely via the master service interface used by terminals to upload videos and run it using batm user privileges.

This resulted in:

  • Ability to access the database.

  • Ability to read and decrypt API keys used to access funds in hot wallets and exchanges.

  • Send funds from hot wallets.

  • Download user names, their password hashes and turn off 2FA.

  • Ability to access terminal event logs and scan for any instance where customers scanned private key at the ATM. Older versions of ATM software were logging this information.

GENERAL BYTES Cloud service was breached as well as other operator’s standalone servers.

DO NOT continue to operate your GB ATM server (CAS) unless you have implemented the solution described below!


How to find out if your server was breached

  1. Investigate your master.log and admin.log files and look for time gaps that your server wasn’t logging anything. Typically you will only see one day of events. The attacker was deleting these logs to conceal his activity. This is a certain indicator of attack.

  2. Look for suspicious content in /batm/app/admin/standalone/deployments/
    root@batmserver:/batm# ls -la /batm/app/admin/standalone/deployments/ total 148352 drwx------ 2 batm batm 4096 Mar 17 23:53 . drwx------ 8 batm batm 4096 Mar 10 12:49 .. -rw------- 1 batm batm 69125138 Mar 10 12:47 batm_server_admin.war -rw-r--r-- 1 batm batm 21 Mar 10 12:47 batm_server_admin.war.deployed -rw-r--r-- 1 batm batm 5818 Mar 17 23:53 hvqyhl.war -rw-r--r-- 1 batm batm 10 Mar 17 23:53 hvqyhl.war.deployed -rw------- 1 batm batm 1007502 Jul 15 2019 mysql-connector-java-5.1.47.jar -rw-r--r-- 1 batm batm 31 Jul 15 2019 mysql-connector-java-5.1.47.jar.deployed -rw-r--r-- 1 batm batm 10 Mar 17 22:30 nheyww.war.undeployed -rw-r--r-- 1 batm batm 10 Mar 17 22:33 nsumys.war.undeployed -rw-r--r-- 1 batm batm 10 Mar 17 22:38 qosxtf.war.undeployed -rw------- 1 batm batm 8888 Jul 2 2019 README.txt -rw------- 1 batm batm 81691033 Mar 10 12:49 server_admin_api.war -rw-r--r-- 1 batm batm 20 Mar 10 12:49 server_admin_api.war.deployed -rw-r--r-- 1 batm batm 10 Mar 17 23:07 txnotd.war.undeployed -rw-r--r-- 1 batm batm 10 Mar 17 22:43 uabcxo.war.undeployed -rw-r--r-- 1 batm batm 10 Mar 17 22:36 varwda.war.undeployed -rw-r--r-- 1 batm batm 10 Mar 17 22:34 wgzooh.war.undeployed -rw-r--r-- 1 batm batm 10 Mar 17 22:37 wljtmq.war.undeployed root@batmserver:/batm#

    Files marked in red were created by attacker. Filenames on your server may differ.

  3. Please understand that even if you don’t have any of these files on file system it doesn’t mean that you were not hacked. An empty admin.log and master.log is the primary indicator.

I believe I wasn’t breached

You should apply the solution anyway!

Read “Solution” below.

  • Consider all your 1) user’s CAS passwords, and 2) API keys to exchanges and hot wallets to have been compromised and leaked.

  • Regenerate new API keys and invalidate old ones.

  • Change all user passwords.

Solution

GENERAL BYTES is shuttering it’s Cloud service.

It is theoretically (and practically) impossible to secure a system granting access to multiple operators at the same time where some of them are bad actors. You’ll need to install your own Standalone server. GB support will provide you with help you to migrate your data from the GB Cloud to your own Standalone server.

Please keep your CAS behind a firewall and VPN. Terminals should also connect to CAS via VPN. With VPN/Firewall attackers from open internet cannot access your server and exploit it. If your server was breached please reinstall the whole server including operation system.

Additionally consider your all user’s passwords, and API keys to exchanges and hot wallets to be compromised. Please invalidate them and generate new keys & password.

The CAS security fix is provided in two server patch releases, 20221118.48 and 20230120.44.

Please ensure you implement all other steps - not just the server upgrade installation.

Specific steps for Standalone Operators:

  1. Stop the admin and master service and wait until the patch release is available.

  2. If your BATM server was breached, reinstall it, including the operating system, to ensure that there is no code left by the attacker on your server. https://generalbytes.atlassian.net/wiki/spaces/ESD/pages/928710726

  3. Upgrade your server to the latest version, which is 20230120.45. If you are currently running version 20221118, you can also apply the fix by upgrading to patch release 20221118.49. Do not start the server until after the upgrade is complete. https://generalbytes.atlassian.net/l/cp/uDWwYSuQ
    It is HIGHLY recommended that you install always the latest patch available. As they contain the latest security fixes and important improvements. See this document to find the patch versions we recommend operating: https://generalbytes.atlassian.net/wiki/spaces/ESD/pages/2734850053

  4. Update your CAS server by modifying your server firewall settings to ensure that your CAS admin interface running on TCP ports 7777 or 443 is only accessible from IP addresses you trust, such as your office or home. Refer to the firewall configuration guide for assistance.

  5. Move your terminals and server behind a VPN and make sure the master service interface (port 7741) is accessible only by terminals behind the VPN.

  6. Deactivate all your terminals in the CAS interface to prevent any sales on machines. Alternatively, you can deactivate only two-way machines.

  7. Review all your CAS users, their permissions, and groups, and make sure that only users you trust have administration rights.

  8. Check whether the attacker added any terminals and remove them if necessary.

  9. Activate the terminals.

  10. If you were breached, review the admin.log file to find more details on the attacker's activity.

Steps for ALL Operators:

  1. Review all your CAS users, their permissions, and groups, and delete any unrecognized users.

  2. Check all CAS users' email addresses (in Persons) and reset all user passwords (except your own) as a precautionary measure.

  3. Review your Crypto Settings and run the Crypto Settings tests to verify that your crypto addresses and strategies are correct. The attacker may have changed your SELL Crypto Settings to receive coins from customers into his wallet, so it's important to double-check and make sure everything is as it should be.

  4. Delete any unrecognized or unpaired terminals.

  5. Activate only the verified terminals.

  6. Set up a VPN connection to the terminals to ensure secure communication.

Taking these steps can help protect your system from any potential vulnerabilities and mitigate the risks of future attacks.

 

Moving data from old server

  1. Use batm-manage backup mechanism to create backup archive.

  2. Transfer from backup only following files as they don’t contain executable code:
    batm_server_db.sql.gz - contains database.
    batm_server_data.tar.gz - contains data files.
    batm_server_config.tar.gz - contains configuration.
    SHA256SUMS - file containing hashes of files above. Edit file to remove line with files that you didn’t transfer.

  3. Use batm-manage restore command

  4. Make sure you reset user passwords incl 2FA, verify terminals and perform other steps defined in “Steps for ALL Operators” section of this page.

What happened

  1. The attacker identified a security vulnerability in the master service interface used by Bitcoin ATMs to upload videos to server.

  2. The attacker scanned the Digital Ocean cloud hosting IP address space and identified running CAS services on ports 7741, including the General Bytes Cloud service and other GB ATM operators running their servers on Digital Ocean (our recommended cloud hosting provider).

  3. Using this security vulnerability, attacker uploaded his own application directly to application server used by admin interface. Application server was by default configured to start applications in its deployment folder.

Note: We’ve concluded multiple security audits since 2021, and none of them identified this vulnerability.

We will continuously update this page as information arises.

 

Crypto addresses used in the attack

ADA = 0x7A0E7D41658F409C11288E0a2988406f2186A474
AQUA = 0x7A0E7D41658F409C11288E0a2988406f2186A474
ANT = 0xD5173d215551538cebE79C4e40A4C54Fb751DD83
BAT = 0x3d1451bF188511ea3e1CFdf45288fD53B16FE17E
BCH = 0xD5173d215551538cebE79C4e40A4C54Fb751DD83
BTBS = 0xD5173d215551538cebE79C4e40A4C54Fb751DD83
BTC = bc1qfa8pryacrjuzp9287zc2ufz5n0hdthff0av440 and bc1qt3lwcrtmtudw8j5nfzs6l0yhm80a4qz3z9qt7n
BTX = 0x7A0E7D41658F409C11288E0a2988406f2186A474
BUSD = 0x7A0E7D41658F409C11288E0a2988406f2186A474
DAI = 0x7A0E7D41658F409C11288E0a2988406f2186A474
BIZZ = 0xAE0aC391b8361B5Fc1aF657703779886a7898497
DASH = Xi4GstuqKFTRo3WB6gFpPnB6jiWtLSHJDj
DGB = dgb1qgea3hzw62zl6req06k708swtv5xc53sdp85jzn
DOGE = DN1bKoV7BbuYBeysnYNT8EFj8BGTSeyLCc
ETC = 0x8A9344be2BA8DeAA2862EAb0Aab20C7cC36c432a
ETH = 0xD5173d215551538cebE79C4e40A4C54Fb751DD83
EGLD = erd1w7n54rlzrxe6jl8xpmh0de4g9jhc028zeppsjdme9g45gsnhw53s4vhgsg
EURS = 0xAE0aC391b8361B5Fc1aF657703779886a7898497
FTO = 0xAE0aC391b8361B5Fc1aF657703779886a7898497
GRS = grs1qhckdwm8dqt8pfdu2d6e649qs5jrqn6sslzlyhw
GQ = 0xAE0aC391b8361B5Fc1aF657703779886a7898497
HATCH = 0xAE0aC391b8361B5Fc1aF657703779886a7898497
HT = 0xAE0aC391b8361B5Fc1aF657703779886a7898497
JOB = 0xAE0aC391b8361B5Fc1aF657703779886a7898497
LMY = 0xAE0aC391b8361B5Fc1aF657703779886a7898497
LTC = ltc1qvd5usunrpgsynyeey9n46xucy7emk62ycljl0t
MKR = 0xAE0aC391b8361B5Fc1aF657703779886a7898497
NANO = nano_1rrqx4esqbfuci7whzkzms7u4kib8ojcnkaokceh9fbr79sa4a36pmqgnxd4
NXT = 0xAE0aC391b8361B5Fc1aF657703779886a7898497
PAXG = 0xAE0aC391b8361B5Fc1aF657703779886a7898497
REP = 0xAE0aC391b8361B5Fc1aF657703779886a7898497
SHIB = 0xAE0aC391b8361B5Fc1aF657703779886a7898497
TRX = TDjFvfcysNGaxnX7pzpvC6xfSmCC5u8qgr
USDS = 0xAE0aC391b8361B5Fc1aF657703779886a7898497
USDC = 0xAE0aC391b8361B5Fc1aF657703779886a7898497
USDT = 0xAE0aC391b8361B5Fc1aF657703779886a7898497
USDTTRON = TDjFvfcysNGaxnX7pzpvC6xfSmCC5u8qgr
VIA = via1quynq6wweqz0pk9wygv82qg83tk5zu47yqweht5
XRP = rDkoXVLChaDvc8SHFoTNZEDzcbtFNwF977
ZPAE = 0xAE0aC391b8361B5Fc1aF657703779886a7898497
XMR = 426FQDKF9rbHZLbNgisRKU2m2CVfnoNpFL7ZsAoDQBHP1eRDUKaj64zDtnFychJqSg1W6eskoFqdkG4gX8BSvWvkQr8oxVc

 

IP addresses used by attacker

123.204.4.202

172.104.237.25

172.104.247.165

212.58.102.201

 

Help Needed

As a part of the ongoing investigation we would like to ask you to fill out the following form:

For media

You can contact us at generalbytes@generalbytes.com

 

For security companies and experts

Despite the fact that we made multiple security audits since 2021, this vulnerability was present and undiscovered in our product since version 20210401.

We would like to conduct in short period of time multiple independent security audits of our product as we see now importance of having multiple audits by multiple companies.

If you think your company can help us to make our product safer please contact us at security@generalbytes.com

NOTE: Security review will require your physical presence at our Prague offices as we insist on preforming security review with real physical machines.

Updates

Last update: 28.03.2023 12:50 Prague time

28.03.2023 12:50 Added address attacker’s address bc1qt3lwcrtmtudw8j5nfzs6l0yhm80a4qz3z9qt7n that has been used to take coins from a paper wallet scanned accidentally on ATMs and that ATM logged in server server’s database.

23.03.2023 12:42 Added section Moving data from old server and more attacker’s ip addresses.

22.03.2023 11:13 Added link on telegram channel. Added links to patch releases.

19.03.2023 10:04 Added link to documentation on how to install CAS server from scratch. And call for more security audits.

18.03.2023 14:49 Patch releases provided.

18.03.2023 13:21 Prague time. - Initial publication

 

 

 

Copyright © 2020-2024 General Bytes USA LLC