Posted on December 20, 2022 at 7:08 AM
A cross-platform botnet has been detected, which could conduct a distributed denial-of-service (DDoS) attack against private Minecraft servers. The botnet was flagged by Microsoft last week.
Minecraft servers targeted by a cross-platform botnet
The botnet in question is dubbed MCCrash. The bot has a unique spreading mechanism where it can target Linux devices despite the attack coming from malicious software downloads that are located on Windows hosts.
Microsoft released a report saying that the botnet spread across multiple devices by coming up with default device credentials. Moreover, the most vulnerable devices were the ones using internet of things (IoT) systems as they were more insecure.
“The botnet spreads by enumerating default credentials on internet-exposed Secure Shell (SSH)-enabled devices. Because IoT devices are commonly enabled for remote configuration with potentially insecure settings, these devices could be at risk of attacks like this botnet,” the company said.
The way this malware operates also means that it could exist on IoT devices. The malware can exist there despite removing it from the infected PC. The cybersecurity division at Microsoft is still analyzing this malware and is currently tracking the activities of the malware under the emerging moniker DEV-1028.
The malware’s primary target seems to be Russia, as most infections have been reported in the country. The other countries where infections have also been reported include Belarus, Cameroon, Columbia, Czech, India, Indonesia, Italy, Mexico, Nigeria, Ukraine, and Uzbekistan.
The tech giant did not reveal the full extent of the malicious campaign. However, given the target groups where the majority of infections were detected, it is inevitable that the attacks were focused on governments and other institutions, and the goal could be ransomware or other types of malicious activities.
The initial infection point that was used by the botnet included several machines that had been compromised. The compromise happened after cracking tools were installed into the machine, which gave the threat actors access to illegal Windows licenses.
The malicious software was also used as a channel to run a Python payload. It contained some of the main features of this botnet, such as scanning for Linux devices that have been SSH-enabled. Once the threat actors did this, they could conduct a dictionary attack on the intended victim.
The other method that the hackers used to run their malicious campaign was propagation. The same Python payload is used with the propagation method to run DDoS commands on the infected device. One of these payloads has also explicitly been used to crash the Minecraft servers.
According to Microsoft, the threat actors behind this malicious campaign were sophisticated as they used efficient methods. However, they noted that the threat actors could have been acting on behalf of another malicious individual, noting that it was highly likely that this method was provided as a service on underground platforms.
The researchers that uncovered this campaign are David Atch, Maayan Shaul, Mae Dotan, Yuval Gordon, and Ross Bevington. They noted that the kind of threat posed by these malicious actors showed that organizations needed to be keen to ensure that they manage and ensure that their traditional endpoints and IoT devices are up to date.
The researchers further noted a need to monitor IoT devices because they were mostly less secure regularly. These devices have been the targets of malicious actors looking to launch multiple campaigns, such as DDoS attacks.
Brute force attacks are on the rise
It is not the first time that research has pointed to similar findings. This research comes a few days after another report by Fortinet FortiGuard Labs uncovered details of a new botnet known as GoTrim. This botnet had been detected running brute-force attacks on self-hosted websites using WordPress.
The active malicious campaign has been detected since September 2022. The campaign uses a bot network to conduct distributed brute-force attacks while attempting to log in to the targeted website server.
After the threat actors gained access, the operator installed a downloader PHP script within the newly compromised host. The PHP script runs the “bot client” from a hard-coded URL, which makes the machine an addition to the fast-growing network.
“Brute-forcing campaigns are dangerous as they may lead to server compromise and malware deployment. To mitigate this risk, website administrators should ensure that user accounts (especially administrator accounts) use strong passwords,” the researchers said.