Minecraft mod security exploit leaves players vulnerable to RCE attack


A new cybersecurity threat known as "BleedingPipe" has emerged in the Minecraft gaming community, putting thousands of users at risk. Security researchers have identified a critical vulnerability that allows full remote code execution (RCE) on systems running popular Minecraft mods, specifically affecting versions 1.7.10/1.12.2 Forge and other mods. The exploit has already been successfully used in several instances, causing alarm among players and server administrators.

The Minecraft Malware Protection Association (MMPA) has warned that this vulnerability could impact other Minecraft versions if a vulnerable mod is installed. The concerning aspect is that the exploit may spread from servers to infect clients who join the game.

MMPA explained the issue, stating that the vulnerability arises from deserialization using ObjectInputStream. The affected mods use OIS for networking code, which allows packets with malicious serialisation to be sent, leading to full control over the server. This, in turn, could be used to infect all clients with the server in reverse.

The origins of the threat date back to March 2022 when an ObjectInputStream vulnerability was reported on BDLib's GitHub. However, it remained dormant until July 9, 2023, when a live RCE security incident occurred on a server, resulting in a complete compromise of that server and potential exposure of clients' Discord credentials.

Three specific mods, BDLib, EnderCore, and LogisticsPipes, were identified as the source of the vulnerability. However, the issue received limited attention initially, leaving many users unaware of the potential danger.

Thankfully, some progress has been made to address the situation. On July 24, 2023, MineYourMind announced that they had fixed the bug and were collaborating with developers to release patches. Other GTNH forks on GitHub also received subsequent patches for the vulnerability.

Despite these efforts, the vulnerability remains a live issue for most servers using the affected mods and their original versions. The list of affected mods includes EnderCore, LogisticsPipes, BDLib versions 1.7-1.12, Smart Moving 1.12, Brazier, DankNull, and Gadomancy.

In a concerning twist, it has been reported that a threat actor scanned all IPv4 Minecraft servers to identify vulnerable ones and deployed a malicious payload on all affected targets. The exact contents of the exploit remain unclear, making detection challenging.

To mitigate the risks, both server administrators and players are urged to thoroughly check for suspicious files in servers, .minecraft directories, and mods folders, especially for those using modded launchers like Curseforge. Admins should consider updating or removing the mods affected by the vulnerability to safeguard their servers and players. Security experts also offer some security tips to safeguard young gamers from a world plagued with cyberattacks.

This revelation comes amid another malware strain discovery named "Fractureiser", which hides within various Minecraft mods and can propagate itself to all JAR files on a system. This malware also carries out nefarious actions such as injecting cryptocurrency addresses, stealing browser cookies and user credentials, as well as exfiltrating credentials for Discord, Microsoft, and Minecraft. The situation is a reminder of the importance of staying vigilant and taking necessary precautions to protect the Minecraft community from potential threats.

As cyberattacks continue to target gamers, especially young gamers, their expertise becomes invaluable in keeping players safe, Hide Expert VPN plays an important role in raising awareness of potential threats, building vigilance, and implementing effective countermeasures to keep the Minecraft community safe.