Hosting Your Own Minecraft Server? Patch Now And Protect From Log4j Ransomware Attacks

hero minecraft cave
Are you tired of hearing about Log4shell yet? Well settle in, because a top-3-worst-security-exploit-ever doesn't vanish overnight. Microsoft updated its article about the flaw (which we mentioned on Wednesday) once again, this time with some notes about protecting "non-Microsoft-hosted Minecraft servers."

Indeed, while Microsoft would really prefer everyone to move to the "Bedrock" version of Minecraft on the Windows store—which strongly encourages players to congregate on Microsoft's own Minecraft servers—the Java version remains dominant thanks to the ease of hosting your own extensively-modded Minecraft world.

Like hosting any web service, though, this isn't without risks. Anytime you open up a computer to the internet, you make yourself a visible target for the scum of the Earth. Servers with available services typically advertise those services on specific network ports, and even if they don't advertise, it's trivial to scan a system for listening services. From there, it's just a matter of forming the correct query to exploit available security holes.

Well, when the hole in question is gaping as wide as Log4j's Log4shell exploit, opening up a vulnerable service to the internet is like leaving the shopping mall doors open all night. So it goes then that Microsoft is aggressively advising Minecraft server operators to upgrade their game version to the latest 1.18.1 revision. Unsurprisingly, the Java version of Minecraft uses Log4j for its logging, and prior versions of the game software are fully vulnerable to the Log4shell flaw.

inline log4shell
This clumsy hand-drawn logo has come to represent the serious vulnerability on the web.

This is a bigger problem than it might seem to people who don't play Minecraft, or have only played the Bedrock version. Minecraft servers are very often hosted on older versions of the game, even as far back as 1.08—first released in 2014. The reason for this is due to mods, which have to be updated for new versions of the game. Some older modpacks are still a lot of fun, yet they simply won't run on the latest version of the game. Given the severity of this Log4shell exploit—it can be triggered with a single chat message—it seems unlikely that most of these servers will remain open to the public, which is a shame.

Microsoft says it has observed attacks on compromised Minecraft servers being used to deploy Khonsari malware. Khonsari is a new type of ransomware that Cado Security actually calls "a bit boring." Essentially, the malware, once loaded, finds all the mounted drives and starts to encrypt everything on them. While Khonsari leaves a ransom note, the contact information appears to be fake, leaving affected victims no way to decrypt the data. Because of that, it is essentially a more frustrating version of a "wiper" malware that just deletes the data.

It's interesting to see the news come around full circle on this exploit. Log4shell was first exposed as an exploit in Minecraft, after all. It was nearly a month before it was discovered that the flaw wasn't in Minecraft itself but rather in Log4j, sending network operators and server admins scrambling to protect vital infrastructure. Few people, even developers, realized just how widespread the Log4j package was. Updates to protect against the flaw even took down Steam and iCloud briefly.