11. 02. 2022
The attacks on the Log4j vulnerability and the Log4Shell malware exploit seem to be increasing at an alarming rate. Microsoft updated its threat page earlier this week to confirm that attackers are incorporating the exploit into other arsenals. This includes targeting Minecraft servers.
According to Microsoft, "We observed many attackers adding exploits to these vulnerabilities to their existing malware tools and tactics, including coin miners and hands-on keyboard attacks."
Recent reports show that Log4Shell attacks come from threat actors backed by known nations.
Microsoft first announced that it was monitoring an active exploit of Log4j flaws in December. This flaw has the potential of infecting millions of systems. Log4Shell has been rated as a critical flaw in the open-source log library. Log4j is a common vulnerability in cloud services so the risk of this exploit being dangerous is high.
Later, the company revealed that state-sponsored groups were also actively exploiting this vulnerability. Log4j versions 2.0 through 2.14.1 have a vulnerability that allows remote execution attacks. The hack can be successful and the device will be given to the attacker. Version 2.15.0 has been released by Apache Software Foundation to fix the flaw.
Log4Shell is the name given to all remove code execution (RCE), vulnerabilities in Apache Log4j software. However, there are three distinct flaws: CVE-2021-45046 and CVE-2021-44228.
Microsoft's most recent update states that attackers continue targeting Minecraft servers. Microsoft Defender and third party security tools found attacks coming from compromised Minecraft servers. These are not official servers, but modified log4j 2 files.
Microsoft states that in these cases an adversary sends an in-game message to a vulnerability Minecraft server. This exploits CVE-20244228 to retrieve an attacker-hosted payload to the server and to connect vulnerable clients. "We found that exploitation led to the execution of the malicious Java class file, the Khonsari ransomware. This is then executed within the context of Javaw.exe to runsom the device."
This attack will not affect all businesses, as most companies don't have Minecraft installed. Microsoft acknowledges that the motive for targeting Minecraft is not clear.
Microsoft points out that these techniques are often associated with enterprise compromises and the intention of lateral motion.
Microsoft has instructed Minecraft users with mod servers to update to the most recent version and general users to join trusted servers only.