Security News > 2021 > December > Microsoft: Khonsari ransomware hits self-hosted Minecraft servers

Microsoft urges admins of self-hosted Minecraft servers to upgrade to the latest release to defend against Khonsari ransomware attacks exploiting the critical Log4Shell security vulnerability.
While there was no mention of attacks targeting Minecraft servers using Log4Shell exploits at the time, Redmond's security experts updated their CVE-2021-44228 guidance today to warn of ongoing exploitation to deliver ransomware on non-Microsoft hosted Minecraft servers.
"In these cases, an adversary sends a malicious in-game message to a vulnerable Minecraft server, which exploits CVE-2021-44228 to retrieve and execute an attacker-hosted payload on both the server and on connected vulnerable clients," Microsoft said.
The Microsoft 365 Defender Threat Intelligence Team and the Microsoft Threat Intelligence Center also observed PowerShell-based reverse shells deployed in enterprise breaches where Log4j exploits targeting Minecraft servers were the entry point.
While Minecraft is not something one would expect to find installed on an enterprise endpoint, the threat actors who successfully compromised one of these servers also used Mimikats to steal credentials, likely to maintain access to the breached systems for follow-on activity.
Microsoft warns all admins to immediately install the latest Minecraft server updates to defend them against these attacks and asks players to only connect to trusted Minecraft servers.
News URL
Related news
- Microsoft fixes bug causing Windows Server 2025 boot errors (source)
- Microsoft Teams tactics, malware connect Black Basta, Cactus ransomware (source)
- Like whitebox servers, rent-a-crew crime 'affiliates' have commoditized ransomware (source)
- Microsoft: North Korean hackers join Qilin ransomware gang (source)
- RedCurl cyberspies create ransomware to encrypt Hyper-V servers (source)
- Hijacked Microsoft web domain injects spam into SharePoint servers (source)
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2021-12-10 | CVE-2021-44228 | Deserialization of Untrusted Data vulnerability in multiple products Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. network low complexity siemens apache intel debian fedoraproject sonicwall netapp cisco snowsoftware bentley percussion apple CWE-502 critical | 10.0 |