HQ/EMEAFind out how we can help your business
A new cybercriminal campaign exploits the BleedingPipe remote code execution flaw in Minecraft mods to execute malicious commands on compromised servers. The new operation could enable attackers to take over targeted user devices.
The BleedingPipe vulnerability is a bug found in numerous Minecraft mods caused by improper use of Java deserialisation in the ObjectInputStream class to trade network packets between clients and servers.
Hence, the threat actors could send specially crafted network packets to flawed Minecraft mod servers to control the servers. Subsequently, the attackers could use the hacked servers to exploit the vulnerabilities in the Minecraft mods employed by the players that connect to the server. This exploitation process could allow them to install malware on compromised devices.
A new report from a separate researcher claimed that the vulnerabilities could affect numerous Minecraft mods that operate on 1.7.10 and 1.12.2 Forge. These mods are notorious for using unsecured deserialisation code.
The reemerging BleedingPipe flaw first suffered an exploit in March of last year.
Hackers started exploiting the BleedingPipe in March 2022. Fortunately, the mod developers immediately patched the bug. However, a Forge forum post warned users about widespread active exploitation attacks using an unidentified zero-day RCE that could steal gamers’ Steam and Discord session cookies.
The confirmed mods impacted by the flaw are BDLib, LogisticsPipes, and EnderCore. Unfortunately, the post did not reach many developers, which left players unaware of the bug.
Further research also showed that the malware developers have identified at least ten more mods that suffer from the same issue. Furthermore, researchers noted that these mods are not the complete list of the affected entities since the BleedingPipe vulnerability could still impact more mods.
Experts explained that threat actors are actively searching for Minecraft servers susceptible to exploitation. Therefore, patching flawed mods on servers is essential for admins. Users should download the latest release of the affected mods from the official release channels of admins to protect their services and devices from threat actors that would exploit the BleedingPipe vulnerability.
