Minecraft Servers under attack

28 November, 2022

Microsoft Wednesday reported that a small number of Minecraft customers who use Log4j on vulnerable versions of Minecraft have been infected with Khonsari ransomware.

Redmond-based software company, Microsoft, claimed that malicious in-game messages were being sent to Minecraft servers by adversaries. According to Microsoft, the servers exploited the Log4j vulnerability in order to retrieve and execute an attacker hosted payload on the server and the clients.

Microsoft's unified threat Intelligence team posted in a blog that “Due to shifts in threat landscape, Microsoft reiterates guidance for Minecraft customers running its own servers to deploy latest Minecraft server updates and for players to exercise caution in only connecting to trusted Minecraft Servers.”

According to Microsoft, Minecraft customers who were playing on a Microsoft server had a patched copy of the game automatically downloaded after shutting down the Minecraft Launcher and restarting it. Microsoft purchased the videogame and associated intellectual property for $2.5 Billion in 2014.

To ransom the device, the Khonsari ransomware was packaged as a malicious Java file and executed within the context of Javaw.exe. Microsoft confirmed that Bitdefender, Bucharest Romania-based, has confirmed Microsoft's earlier findings that Khonsari ransomware was being delivered as a payload after exploiting the Log4j vulnerability.

Although it is not common for Minecraft to be installed on enterprise networks, Microsoft claims it has seen PowerShell-based reverse Shells drop to Minecraft client systems through malicious in-game messages. Microsoft says this gives an adversary full access and allows them to steal credentials.

Microsoft stated that the dropping of PowerShell based reverse shells was often associated with enterprise compromises, in order to facilitate lateral movement. Microsoft stated that it has not observed any follow-up activity from the reverse campaign at the moment, which suggests that the threat group could be gaining access for future use.

Minecraft instructs customers who host their servers to either copy a file to the server's working directory or add JVM arguments in their startup command line, depending on which version they are using. Users who have modified third-party launchers or clients might not be able to update automatically. Minecraft advises users in this situation to follow their third-party provider's instructions.

Microsoft's warning regarding Khonsari ransomware is coming two days after Bitdefender warned that the new ransomware family was trying to exploit the Log4j vulnerability on Windows users. Bitdefender stated that a malicious.NET binary file was downloaded to the victim's computer as part of the ransomware attack. It will list all drives and encrypt them all except for the C: drive.

Bitdefender stated that Khonsari encrypts documents, videos, pictures, downloads, and desktop files only. Bitdefender claims that Khonsari has written a ransom note in the Desktop folder on the C: drive. It is then opened with Notepad.

Check Point reported Wednesday that the state-sponsored Iranian hacking group APT 35 attempted to exploit the Log4j security against seven targets in Israel's government and business sectors over the past 24 hours. Check Point was able to block the attacks by monitoring communications between APT 35's server and targets in Israel.

The attack occurred between 9 a.m. ET and 7 p.m. ET. ET at 7 p.m. ET Wednesday and 7 p.m. ET. Check Point stated that there is no evidence linking APT 35 to related activity against targets other than Israel. Check Point discovered that APT 35's Israeli-focused campaign follows a Log4j vulnerability-exploiting attempt by a crypto mining group against five other countries.

Check Point stated in a blog post that “Reports from the last 48 hours show that both criminal hacking organizations and nation-state actors are actively engaged in the exploration and exploitation of this vulnerability.”