Hosting Your Own Minecraft Server? Patch Now And Protect From Log4j Ransomware Attacks
Are you tired of hearing about Log4shell yet? Well settle in, because a top-3-worst-security-exploit-ever doesn't vanish overnight. Microsoft updated its article about the flaw (which we mentioned on Wednesday) once again, this time with some notes about protecting "non-Microsoft-hosted Minecraft servers."
Indeed, while Microsoft would really prefer everyone to move to the "Bedrock" version of Minecraft on the Windows store—which strongly encourages players to congregate on Microsoft's own Minecraft servers—the Java version remains dominant thanks to the ease of hosting your own extensively-modded Minecraft world.
Like hosting any web service, though, this isn't without risks. Anytime you open up a computer to the internet, you make yourself a visible target for the scum of the Earth. Servers with available services typically advertise those services on specific network ports, and even if they don't advertise, it's trivial to scan a system for listening services. From there, it's just a matter of forming the correct query to exploit available security holes.
Well, when the hole in question is gaping as wide as Log4j's Log4shell exploit, opening up a vulnerable service to the internet is like leaving the shopping mall doors open all night. So it goes then that Microsoft is aggressively advising Minecraft server operators to upgrade their game version to the latest 1.18.1 revision. Unsurprisingly, the Java version of Minecraft uses Log4j for its logging, and prior versions of the game software are fully vulnerable to the Log4shell flaw.
Microsoft says it has observed attacks on compromised Minecraft servers being used to deploy Khonsari malware. Khonsari is a new type of ransomware that Cado Security actually calls "a bit boring." Essentially, the malware, once loaded, finds all the mounted drives and starts to encrypt everything on them. While Khonsari leaves a ransom note, the contact information appears to be fake, leaving affected victims no way to decrypt the data. Because of that, it is essentially a more frustrating version of a "wiper" malware that just deletes the data.
It's interesting to see the news come around full circle on this exploit. Log4shell was first exposed as an exploit in Minecraft, after all. It was nearly a month before it was discovered that the flaw wasn't in Minecraft itself but rather in Log4j, sending network operators and server admins scrambling to protect vital infrastructure. Few people, even developers, realized just how widespread the Log4j package was. Updates to protect against the flaw even took down Steam and iCloud briefly.
