Self-hosted Minecraft servers are facing a new ransomware threat: Khonsari

by Alexandru Poloboc
Alexandru Poloboc
Alexandru Poloboc
News Editor
With an overpowering desire to always get to the bottom of things and uncover the truth, Alex spent most of his time working as a news reporter, anchor,... read more
Affiliate Disclosure
  • Minecraft players are now targeted by a group of international hackers.
  • Microsoft warns about hackers spreading the Khonsari ransomware.
  • Apparently, malicious third parties target self-hosted Minecraft servers.
  • Updating to the latest version of the official game will help you in this.
minecraft ransomware

If you are a Minecraft player and made a habit of hosting your own servers, you will surely want to hear what we have to say right now.

Redmond tech giant Microsoft urges admins of self-hosted Minecraft servers to upgrade to the latest release to defend against the Khonsari ransomware attacks exploiting the critical Log4Shell security vulnerability.

The Swedish video game developer that created Minecraft, Mojang Studious, released an emergency security update last week.

This new repair software was issued to address the bug tracked as CVE-2021-44228 in the Apache Log4j Java logging library(used by the game’s Java Edition client and multiplayer servers).

Microsoft is warning Minecraft users everywhere

When this all started, there was no mention of attacks targeting Minecraft servers using Log4Shell exploits.

However, Microsoft updated its CVE-2021-44228 guidance today to warn of ongoing exploitation to deliver ransomware on non-Microsoft hosted Minecraft servers.

Redmond officials also said that in situations like this, hackers send a malicious in-game message to a vulnerable Minecraft server.

This action exploits CVE-2021-44228 to retrieve and execute an attacker-hosted payload on both the server and on connected vulnerable clients

This triggered the Microsoft 365 Defender Threat Intelligence Team and the Microsoft Threat Intelligence Center (MSTIC) to get involved.

Upon a closer look, they also observed PowerShell-based reverse shells deployed in enterprise breaches where Log4j exploits targeting Minecraft servers were the entry point.

And, the worst part is that, although Minecraft is not something one would expect to find installed on an enterprise endpoint, the threat actors who successfully compromised one of these servers also used Mimikats to steal credentials, likely to maintain access to the breached systems for follow-on activity.

So, in order to upgrade to the patched version, gamers using Mojang’s official client are advised to close all running game and Minecraft Launcher instances and restart the Launcher to install the patch automatically.

Players that are using modified Minecraft clients and third-party launchers should reach out to their third-party providers for a security update.

Have you observed any peculiar behaviors while hosting your own Minecraft server? Share your experience with us in the comments section below.

This article covers:Topics: