Microsoft discovers cross-platform DDoS botnet targeting private Minecraft servers

Microsoft security researchers have discovered a cross-platform botnet primarily used to launch distributed denial of service (DDoS) attacks against private Minecraft Java servers. The Microsoft Defender for IoT research team analyzed the botnet that originates from malicious software downloads on Windows devices and succeeds in propagating to a variety of Linux-based devices.

In a blog post, the Microsoft Security Threat Intelligence team shared details on how this botnet affects multiple platforms, its DDoS capabilities, and recommendations to prevent devices from becoming part of a botnet.

The activity is tracked as DEV-1028, a cross-platform botnet that infects Windows devices, Linux devices, and IoT devices. The botnet's spreading mechanism makes it a unique threat because while the malware can be removed from the infected source PC, it could persist on unmanaged IoT devices in the network and continue to operate as part of the botnet.

According to Microsoft researchers, the initial infection points related to the botnet were devices infected through the installation of malicious cracking tools that purport to acquire illegal Windows licenses. The researchers also found that the malware itself was hardcoded to target a specific version of Minecraft server, 1.12.2. However, all versions between 1.7.2 and 1.18.2 can be affected by this method of attack.

"To harden devices networks against threats like MCCrash, organizations must implement the basics to secure identities and their devices, including access limitation," Microsoft wrote in the blog post that also offers the following recommendations for organizations:

• Avoid downloading cracking tools as these are abused as an infection source for spreading malware.
• Increase network security by enforcing multi-factor authentication (MFA) methods such as Azure Active Directory (now part of Microsoft Entra) MFA.
• Adopt a comprehensive IoT security solution such as Microsoft Defender for IoT to allow visibility and monitoring of all IoT and OT devices, threat detection and response, and integration with SIEM/SOAR and XDR platforms such as Microsoft Sentinel and Microsoft 365 Defender.
• For users hosting private Minecraft servers, update to version 1.19.1 and above.