Fortunately, despite being actively exploited, it is an attack that is familiar among the Java community and as such, developers are already well-informed when it comes to issuing a fix.
Not so fortunately, though, in the case of this attack, was the scale. According to MMPA, “a bad actor scanned all Minecraft servers on the IPv4 address space.” Following this, the group reckons that a malicious payload might have been deployed onto all affected servers.
Minecraft malware is widespread
The exploit, dubbed ‘BleedingPipe,’ allows full remote code execution on clients and servers running some Minecraft mods on at least versions 1.7.10/1.12.2 of Forge.
Among some of the known affected mods are EnderCore, LogisticsPipes, and BDLib, which have been fixed for the GT New Horizons versions. Others include Smart Moving 1.12, Brazier, DankNull, and Gadomancy.
Despite being a highly exploited vulnerability, MMPA says that no instances have been to this scale in Minecraft so far.
The group says: “We do not know what the contents of the exploit were or if it was used to exploit other clients, although this is very much possible with the exploit.”
Server admins are urged to regularly check for suspicious files, as well as apply updates and security patches as soon as they become available in order to protect players. Players, too, can check for suspicious files, with both jSus and jNeedle being recommended scanning tools.
More broadly, maintaining effective endpoint protection software on consumer machines and being prepared is always good practice.