Description
A cross-platform botnet that is primarily designedto perform distributed denial-of-service (DDoS) attacks against personal Minecraft servers was flagged by Microsoft on Thursday.
Summary
The MCCrash botnet is characterized by a mechanism which allows it spread to Linux-based1 devices despite beginning as malicious software downloads on Windows hosts.
The company stated in a report that “the botnet spreads by enumerating default credentials on internet-exposed Secure Shell (SSH)-enabled devices.” IoT devices may be vulnerable to attacks like this botnet because they frequently have remote configuration enabled with potentially unsafe settings.
This implies that malware may continue to infect IoT devices even after being removed from the infected parent PC. Under the newly coined identifier DEV-1028, the cybersecurity section of the tech giant is monitoring the activity cluster.
A pool of machines has been compromised by the installation of cracking tools that purport to offer illegal Windows licenses which serves as the botnet”s initial entry point.
The software then serves as a conduit to execute a Python payload that comprises the essential components of the botnet, such as searching for Linux computers that are SSH enabled in order to begin a dictionary attack.
The same Python payload is deployed to launch DDoS instructions after compromising a Linux host using the propagation method, one of which is programmed to break Minecraft servers (“ATTACK MCCRASH”).
Microsoft called the technique “highly efficient,” saying that it is likely offered as a service on dark forums.
Remediation
The researchers related that “this type of threat stresses the importance of ensuring that organizations manage, keep up to date, and monitor not just traditional endpoints but also IoT devices that are often less secure.
To protect device networks from threats like MCCrash, organizations must implement the basics of protecting identities and their devices, including restricting access. The solution should detect malicious program downloads and malicious attempts to gain access to SSH-enabled devices, and generate alerts on unusual network behavior. Below are some of our recommendations for organizations:
Do not let your employees download cracking tools, as they are used as infection vectors to spread malware.
Enhance network security by enforcing multi-factor authentication (MFA) methods such as Azure Active Directory (now part of Microsoft Entra) MFA. Enable network protection to prevent applications and users from accessing malicious domains and other malicious content on the Internet.
Deploy a comprehensive IoT security solution for IoT for visibility and monitoring of all IoT and OT devices, threat detection and response, and SIEM/SOAR and XDR for platform integration.
IoT device level:
Ensure secure configuration of devices.
Change the default password to a strong one and block SSH for external access.
Get device health with updates.
Make sure your device is up to date with the latest firmware and patches.
Use least privilege access.
Use a secure VPN (Virtual Private Network) service for remote access and limit remote access to your device.
Users hosting private Minecraft servers should update to version 1.19.1 or later.
Adopt a comprehensive Windows security solution:
Manage the apps your employees can and in unmanaged solutions by enabling Smart App Control.
Commercial customers can enable application and browser controls such for additional protection for Office and Edge.
Timely clean up unused and obsolete executables on your organization”s devices.
Protect against advanced firmware attacks by enabling Memory Integrity, Secure Boot, and Trusted Platform Module 2.0 if they aren”t enabled by default. This makes the boot process difficult with features built into modern CPUs.
The Guyana National CIRT recommends that users and administrators review this alert and apply it where necessary.
PDF Download: Cross-platform DDoS botnet attacking private Minecraft Servers.pdf
References
Bevington, R et al. (2022, December 15). MCCrash: Cross-platform DDoS botnet targets private Minecraft servers. Reviewed from Microsoft:
https://www.microsoft.com/en-us/security/blog/2022/12/15/mccrash-cross-platform-ddos-botnet-targets-private-minecraft-servers/
Lakshmanan, R. (2022, December 16). Minecraft Servers Under Attack: Microsoft Warns About Cross-Platform DDoS Botnet. Reviewed from TheHackerNews:
https://thehackernews.com/2022/12/minecraft-servers-under-attack.html