 |
| Microsoft reveals DDoS activity targeting Minecraft servers |
Microsoft Threat Intelligence has detected a malicious cross-platform bot called MCCrash that infects Windows, Linux and Internet-connected devices to perform DDoS attacks on Minecraft servers.
Once a device is infected, the malicious botnet can spread to other systems on the network by applying SSH credentials, the team reports.
"Our analysis of a malicious denial-of-service botnet revealed features designed specifically for Minecraft Java servers, using packages as a service sold on forums or on the dark web," Microsoft said in its report.
Currently, most of the MCCrash bots are located in Russia, but there are also victims in Mexico, Italy, India, Kazakhstan and Singapore. Minecraft servers are often the target of denial-of-service attacks, either by server spam operators or as part of extortion.
In October 2022, Cloudflare, an American company that specializes in content distribution and mitigation of denial-of-service attacks, reported mitigating a 2.5T DDoS attack against Wynncarft, one of the largest Minecraft servers in the world.
Devices are first infected with MCCrash after users install a fake Windows Product Activation Tool and a malware-laden Office Pack Activation Tool, Microsoft said.
The hack tool contains malicious PowerShell code that downloads a file called svchosts.exe that runs Malware.py, the bot's base payload. MCCrash then attempts to spread to other computers on the network by performing brute force SSH attacks against Linux computers and electronic devices connected to the Internet.
According to Microsoft, the botnet created by the attackers targeted version 1.12.2 of the Minecraft servers, but they confirmed that all versions from 1.7.2 to 1.18.2 are also vulnerable.
That, and there are still quite a few Minecraft servers still running older versions, mostly in the US, Germany, and France.
Microsoft warns that the threat's unique ability to use IoT devices, which are often left unattended as part of a bot, greatly increases their effectiveness and reduces their likelihood of detection.
To protect users' IoT devices from botnets, users are advised to update the firmware, change default credentials with long and strong passwords, and disable SSH logins when unavailable.