/
Security Incident March 17-18th 2023

Security Incident March 17-18th 2023

Join our telegram channel to stay updated on latest developments and company announcements.

Description

Severity: Highest

Description: The attacker was able to upload his own java application remotely via the master service interface used by terminals to upload videos and run it using batm user privileges.

This resulted in:

  • Ability to access the database.

  • Ability to read and decrypt API keys used to access funds in hot wallets and exchanges.

  • Send funds from hot wallets.

  • Download user names, their password hashes and turn off 2FA.

  • Ability to access terminal event logs and scan for any instance where customers scanned private key at the ATM. Older versions of ATM software were logging this information.

GENERAL BYTES Cloud service was breached as well as other operator’s standalone servers.

DO NOT continue to operate your GB ATM server (CAS) unless you have implemented the solution described below!


How to find out if your server was breached

  1. Investigate your master.log and admin.log files and look for time gaps that your server wasn’t logging anything. Typically you will only see one day of events. The attacker was deleting these logs to conceal his activity. This is a certain indicator of attack.

  2. Look for suspicious content in /batm/app/admin/standalone/deployments/
    root@batmserver:/batm# ls -la /batm/app/admin/standalone/deployments/ total 148352 drwx------ 2 batm batm 4096 Mar 17 23:53 . drwx------ 8 batm batm 4096 Mar 10 12:49 .. -rw------- 1 batm batm 69125138 Mar 10 12:47 batm_server_admin.war -rw-r--r-- 1 batm batm 21 Mar 10 12:47 batm_server_admin.war.deployed -rw-r--r-- 1 batm batm 5818 Mar 17 23:53 hvqyhl.war -rw-r--r-- 1 batm batm 10 Mar 17 23:53 hvqyhl.war.deployed -rw------- 1 batm batm 1007502 Jul 15 2019 mysql-connector-java-5.1.47.jar -rw-r--r-- 1 batm batm 31 Jul 15 2019 mysql-connector-java-5.1.47.jar.deployed -rw-r--r-- 1 batm batm 10 Mar 17 22:30 nheyww.war.undeployed -rw-r--r-- 1 batm batm 10 Mar 17 22:33 nsumys.war.undeployed -rw-r--r-- 1 batm batm 10 Mar 17 22:38 qosxtf.war.undeployed -rw------- 1 batm batm 8888 Jul 2 2019 README.txt -rw------- 1 batm batm 81691033 Mar 10 12:49 server_admin_api.war -rw-r--r-- 1 batm batm 20 Mar 10 12:49 server_admin_api.war.deployed -rw-r--r-- 1 batm batm 10 Mar 17 23:07 txnotd.war.undeployed -rw-r--r-- 1 batm batm 10 Mar 17 22:43 uabcxo.war.undeployed -rw-r--r-- 1 batm batm 10 Mar 17 22:36 varwda.war.undeployed -rw-r--r-- 1 batm batm 10 Mar 17 22:34 wgzooh.war.undeployed -rw-r--r-- 1 batm batm 10 Mar 17 22:37 wljtmq.war.undeployed root@batmserver:/batm#

    Files marked in red were created by attacker. Filenames on your server may differ.

  3. Please understand that even if you don’t have any of these files on file system it doesn’t mean that you were not hacked. An empty admin.log and master.log is the primary indicator.

I believe I wasn’t breached

You should apply the solution anyway!

Read “Solution” below.

  • Consider all your 1) user’s CAS passwords, and 2) API keys to exchanges and hot wallets to have been compromised and leaked.

  • Regenerate new API keys and invalidate old ones.

  • Change all user passwords.

Solution

GENERAL BYTES is shuttering it’s Cloud service.

It is theoretically (and practically) impossible to secure a system granting access to multiple operators at the same time where some of them are bad actors. You’ll need to install your own Standalone server. GB support will provide you with help you to migrate your data from the GB Cloud to your own Standalone server.

Please keep your CAS behind a firewall and VPN. Terminals should also connect to CAS via VPN. With VPN/Firewall attackers from open internet cannot access your server and exploit it. If your server was breached please reinstall the whole server including operation system.

Additionally consider your all user’s passwords, and API keys to exchanges and hot wallets to be compromised. Please invalidate them and generate new keys & password.

The CAS security fix is provided in two server patch releases, 20221118.48 and 20230120.44.

Please ensure you implement all other steps - not just the server upgrade installation.

Specific steps for Standalone Operators:

  1. Stop the admin and master service and wait until the patch release is available.

  2. If your BATM server was breached, reinstall it, including the operating system, to ensure that there is no code left by the attacker on your server. CAS CLI Installation

  3. Upgrade your server to the latest version, which is 20230120.45. If you are currently running version 20221118, you can also apply the fix by upgrading to patch release 20221118.49. Do not start the server until after the upgrade is complete. https://generalbytes.atlassian.net/l/cp/uDWwYSuQ
    It is HIGHLY recommended that you install always the latest patch available. As they contain the latest security fixes and important improvements. See this document to find the patch versions we recommend operating: Patch Releases

  4. Update your CAS server by modifying your server firewall settings to ensure that your CAS admin interface running on TCP ports 7777 or 443 is only accessible from IP addresses you trust, such as your office or home. Refer to the firewall configuration guide for assistance. https://generalbytes.atlassian.net/l/cp/ikf0h0Ld

  5. Move your terminals and server behind a VPN and make sure the master service interface (port 7741) is accessible only by terminals behind the VPN. https://generalbytes.atlassian.net/wiki/spaces/ESD/pages/2807791617 Terminal Security | Terminal VPN

  6. Deactivate all your terminals in the CAS interface to prevent any sales on machines. Alternatively, you can deactivate only two-way machines.

  7. Review all your CAS users, their permissions, and groups, and make sure that only users you trust have administration rights.

  8. Check whether the attacker added any terminals and remove them if necessary.

  9. Activate the terminals.

  10. If you were breached, review the admin.log file to find more details on the attacker's activity.

Steps for ALL Operators:

  1. Review all your CAS users, their permissions, and groups, and delete any unrecognized users.

  2. Check all CAS users' email addresses (in Persons) and reset all user passwords (except your own) as a precautionary measure.

  3. Review your Crypto Settings and run the Crypto Settings tests to verify that your crypto addresses and strategies are correct. The attacker may have changed your SELL Crypto Settings to receive coins from customers into his wallet, so it's important to double-check and make sure everything is as it should be.

  4. Delete any unrecognized or unpaired terminals.

  5. Activate only the verified terminals.

  6. Set up a VPN connection to the terminals to ensure secure communication.

Taking these steps can help protect your system from any potential vulnerabilities and mitigate the risks of future attacks.

 

Moving data from old server

  1. Use batm-manage backup mechanism to create backup archive.