Posted on August 1, 2023 at 9:57 AM
Minecraft Mods Are Vulnerable To Exploits As Researchers Detect BleedingPipe Flaw
Some Minecraft mods are vulnerable to a bug that calls for the use of antivirus tools. A report by the MMPA security community noted that threat actors were exploiting the BleedingPipe vulnerability within the Forge framework. This framework powered a wide range of mods.
Minecraft mods allow hackers to breach the BleedingPipe flaw
The vulnerability these threat actors exploit includes versions of Astra Sorcery, EnderCore, and Gadomancy. One of the tweaks in this game is operating under Forge 1.7.10/1.12.2.
The intruders behind this hacking attack could gain remote control over the two servers and the gamers’ devices. In one instance, the threat actors deployed a new exploit variant to gain access to a Minecraft server to steal the Discord chatters’ credentials and the Steam session cookies on Steam.
The report said that the hacking campaign is a deserialization exploit of a gadget chain. There was a wide range of exploited cases, but none reported by the hackers have been of a massive volume within the Minecraft community.
“The first hints of this exploit in this specific list of mods go back all the way to March 2022, when this issue was posted on BDLib’s GitHub, hinting at a vulnerability in ObjectInputStream. The GTNH team promptly merged a fix into their fork,” the report said.
After the hacker obtained initial access to the targeted device, the issue progressed for a while until MineYourMind revealed a flaw within the Enigmatica 2 Expert server. The report said that on July 9, 2023, a post on the Forge forum used an RCE that ran on a server and compromised it to send the Discord data of clients.
The issue was confirmed patched in a July 24, 2023 update. The company announced it had issued a fix to the patch and was also working with the developers to install these upgrades.
BleedingPipe flaw attributed to attacks on the Minecraft mods
A report by Bleeping Computer said that the BleedingPipe flaw relied on the inaccurate deserialization of a class within the Java code that powers the mods. Depending on these mods, users will have to transfer the special network traffic to a server allowing them to take control.
The initial evidence of these attacks using the BleedingPipe flaw was noted in March 2022. The flaw was swiftly patched using modders. However, the researchers at MMPA said that they had an understanding that the majority of the servers using mods were yet to be updated.
The payload these hackers launched within the compromised system has yet to be detected. The server administrators are advised to monitor all the mods and note any suspicious file additions through the jNeedle and jSus scanners.
The players using the mods were vulnerable and advised to complete similar scans within the .minecraft directory or the default directory. Those using desktop devices are advised to conduct an antivirus scan and monitor any malicious executables available within the system.
A hacker that wants to mitigate these mods, in general, has to install the PipeBlocker on the clients and the forge servers. Users should also update LogisticsPipes and the other mods to the latest versions. The pre-made modpacks might result in instability and break after updating all the mods.
Mojang’s parent company, Microsoft, is not behind Forge. As such, the tech giant cannot stop or limit the damage caused by this hacking campaign. Users will not be affected if they stock Minecraft or abide by single-player sessions. As such, the hacking campaign did not affect all Minecraft users.
The entire scope of this security flaw is yet to be determined. Currently, 46 mods are known to fall victim to the BleedingPipe flaw. There is a possibility that more mods might be vulnerable to hacks, which is a cause for concern for the affected users.
Users need to run a scan on their system, such as the Minecraft folder, to run a malware campaign. Several server operators are advised to run an update on their mods and ensure that they were not deployed entirely. The PipeBlocker mod will also play a vital role in protecting those affected by the flaw. However, the mod packs might be issued in case mods are not updated.