Description: The attacker was able to upload his own java application remotely via the master service interface used by terminals to upload videos and run it using batm user privileges.
This resulted in:
Ability to access the database.
Ability to read and decrypt API keys used to access funds in hot wallets and exchanges.
Send funds from hot wallets.
Download user names, their password hashes and turn off 2FA.
Ability to access terminal event logs and scan for any instance where customers scanned private key at the ATM. Older versions of ATM software were logging this information.
GENERAL BYTES Cloud service was breached as well as other operator’s standalone servers.
DO NOT continue to operate your GB ATM server (CAS) unless you have implemented the solution described below!
How to find out if your server was breached
Investigate your master.log and admin.log files and look for time gaps that your server wasn’t logging anything. Typically you will only see one day of events. The attacker was deleting these logs to conceal his activity. This is a certain indicator of attack.
Look for suspicious content in /batm/app/admin/standalone/deployments/ root@batmserver:/batm# ls -la /batm/app/admin/standalone/deployments/
drwx------ 2 batm batm 4096 Mar 17 23:53 .
drwx------ 8 batm batm 4096 Mar 10 12:49 ..
-rw------- 1 batm batm 69125138 Mar 10 12:47 batm_server_admin.war
-rw-r--r-- 1 batm batm 21 Mar 10 12:47 batm_server_admin.war.deployed
-rw-r--r-- 1 batm batm 5818 Mar 17 23:53 hvqyhl.war
-rw-r--r-- 1 batm batm 10 Mar 17 23:53 hvqyhl.war.deployed-rw------- 1 batm batm 1007502 Jul 15 2019 mysql-connector-java-5.1.47.jar
-rw-r--r-- 1 batm batm 31 Jul 15 2019 mysql-connector-java-5.1.47.jar.deployed
-rw-r--r-- 1 batm batm 10 Mar 17 22:30 nheyww.war.undeployed
-rw-r--r-- 1 batm batm 10 Mar 17 22:33 nsumys.war.undeployed
-rw-r--r-- 1 batm batm 10 Mar 17 22:38 qosxtf.war.undeployed
-rw------- 1 batm batm 8888 Jul 2 2019 README.txt
-rw------- 1 batm batm 81691033 Mar 10 12:49 server_admin_api.war
-rw-r--r-- 1 batm batm 20 Mar 10 12:49 server_admin_api.war.deployed
-rw-r--r-- 1 batm batm 10 Mar 17 23:07 txnotd.war.undeployed
-rw-r--r-- 1 batm batm 10 Mar 17 22:43 uabcxo.war.undeployed
-rw-r--r-- 1 batm batm 10 Mar 17 22:36 varwda.war.undeployed
-rw-r--r-- 1 batm batm 10 Mar 17 22:34 wgzooh.war.undeployed
-rw-r--r-- 1 batm batm 10 Mar 17 22:37 wljtmq.war.undeployed
Files marked in red were created by attacker. Filenames on your server may differ.
Please understand that even if you don’t have any of these files on file system it doesn’t mean that you were not hacked. An empty admin.log and master.log is the primary indicator.
I believe I wasn’t breached
You should apply the solution anyway!
Read “Solution” below.
Consider all your 1) user’s CAS passwords, and 2) API keys to exchanges and hot wallets to have been compromised and leaked.
Regenerate new API keys and invalidate old ones.
Change all user passwords.
GENERAL BYTES is shuttering it’s Cloud service.
It is theoretically (and practically) impossible to secure a system granting access to multiple operators at the same time where some of them are bad actors. You’ll need to install your own Standalone server. GB support will provide you with help you to migrate your data from the GB Cloud to your own Standalone server.
Please keep your CAS behind a firewall and VPN. Terminals should also connect to CAS via VPN. With VPN/Firewall attackers from open internet cannot access your server and exploit it. If your server was breached please reinstall the whole server including operation system.
Additionally consider your all user’s passwords, and API keys to exchanges and hot wallets to be compromised. Please invalidate them and generate new keys & password.
The CAS security fix is provided in two server patch releases, 20221118.48 and 20230120.44.
Please ensure you implement all other steps - not just the server upgrade installation.
Specific steps for Standalone Operators:
Stop the admin and master service and wait until the patch release is available.
Upgrade your server to the latest version, which is 20230120.45. If you are currently running version 20221118, you can also apply the fix by upgrading to patch release 20221118.49. Do not start the server until after the upgrade is complete. https://generalbytes.atlassian.net/l/cp/uDWwYSuQ It is HIGHLY recommended that you install always the latest patch available. As they contain the latest security fixes and important improvements. See this document to find the patch versions we recommend operating: https://generalbytes.atlassian.net/wiki/spaces/ESD/pages/2734850053
Update your CAS server by modifying your server firewall settings to ensure that your CAS admin interface running on TCP ports 7777 or 443 is only accessible from IP addresses you trust, such as your office or home. Refer to the firewall configuration guide for assistance. https://generalbytes.atlassian.net/l/cp/ikf0h0Ld
Deactivate all your terminals in the CAS interface to prevent any sales on machines. Alternatively, you can deactivate only two-way machines.
Review all your CAS users, their permissions, and groups, and make sure that only users you trust have administration rights.
Check whether the attacker added any terminals and remove them if necessary.
Activate the terminals.
If you were breached, review the admin.log file to find more details on the attacker's activity.
Steps for ALL Operators:
Review all your CAS users, their permissions, and groups, and delete any unrecognized users.
Check all CAS users' email addresses (in Persons) and reset all user passwords (except your own) as a precautionary measure.
Review your Crypto Settings and run the Crypto Settings tests to verify that your crypto addresses and strategies are correct. The attacker may have changed your SELL Crypto Settings to receive coins from customers into his wallet, so it's important to double-check and make sure everything is as it should be.
Delete any unrecognized or unpaired terminals.
Activate only the verified terminals.
Set up a VPN connection to the terminals to ensure secure communication.
Taking these steps can help protect your system from any potential vulnerabilities and mitigate the risks of future attacks.
Moving data from old server
Be careful on what data you move to your new server from old server!
You may have moved infected files planed by attacker and you can be robbed again. If you think that managed to transfer more than data, please start with installation of the server again from the scratch as you may have given attacker the access.
Prevent living in paranoia for the rest of your live whether your server is trustworthy. Hackers can stay in your system for years and hit you when you have high balance.
Transfer from backup only following files as they don’t contain executable code: batm_server_db.sql.gz - contains database. batm_server_data.tar.gz - contains data files. batm_server_config.tar.gz - contains configuration. SHA256SUMS - file containing hashes of files above. Edit file to remove line with files that you didn’t transfer.
Use batm-manage restore command
Make sure you reset user passwords incl 2FA, verify terminals and perform other steps defined in “Steps for ALL Operators” section of this page.
The attacker identified a security vulnerability in the master service interface used by Bitcoin ATMs to upload videos to server.
The attacker scanned the Digital Ocean cloud hosting IP address space and identified running CAS services on ports 7741, including the General Bytes Cloud service and other GB ATM operators running their servers on Digital Ocean (our recommended cloud hosting provider).
Using this security vulnerability, attacker uploaded his own application directly to application server used by admin interface. Application server was by default configured to start applications in its deployment folder.
Note: We’ve concluded multiple security audits since 2021, and none of them identified this vulnerability.
We will continuously update this page as information arises.
NOTE: Security review will require your physical presence at our Prague offices as we insist on preforming security review with real physical machines.
Last update: 28.03.2023 12:50 Prague time
28.03.2023 12:50 Added address attacker’s address bc1qt3lwcrtmtudw8j5nfzs6l0yhm80a4qz3z9qt7n that has been used to take coins from a paper wallet scanned accidentally on ATMs and that ATM logged in server server’s database.
23.03.2023 12:42 Added section Moving data from old server and more attacker’s ip addresses.
22.03.2023 11:13 Added link on telegram channel. Added links to patch releases.
19.03.2023 10:04 Added link to documentation on how to install CAS server from scratch. And call for more security audits.