Gradle Wrapper Attack On MinecraftOnline
On January 11th, 2023, MinecraftOnline, the oldest public server for Minecraft, reported two suspicious Gradle wrapper JARs in their repositories. A new contributor updated these JARs to the project.
It's important to note that MinecraftOnline didn't have any security issues in 13 years!!!
Background
MinecraftOnline is a long-standing multiplayer server for the popular game Minecraft.
The server is home to the oldest truly public map of any SMP server, known as Freedonia, which has been live on the shared server since the day SMP was released. It is known for its pure survival feel, with no moderator-given freebies or cheat commands available.
Everything on the server has been built by hand from legitimately harvested resources. The world has grown to over 30km in diameter and has been explored and built-in by over 50,000 unique players, making it a massive and well-established virtual community.
The server has been running since the interaction of Minecraft multiplayer as a feature of Minecraft by Notch
Analysis
This section was summarized by ChatGPT for the full report Click Me
Our analysis began by confirming that the SHA256 checksums for both JARs did not match any of the known good Gradle Wrapper checksums. After decompiling the JARs, we discovered two exploits patched into the wrapper JARs. The first exploit attempted to steal Discord credentials by looking into specific files on the host computer. The second exploit tried downloading and running a malicious JAR on certain Gradle invocations.
The second exploit would modify any Gradle invocation that started with 'wrapper' to invoke 'cleanEclipse' instead.
This made it harder for the malicious wrapper JAR to be removed.
Here are the modified files found in the infected wrapper JARs:
First infected wrapper
- org/gradle/cli/SystemPropertiesCommandLineConverter.class
- org/gradle/wrapper/Download.class
- org/gradle/wrapper/PathAssembler.class
Second infected wrapper
- org/gradle/cli/CommandLineParser.class
- org/gradle/cli/SystemPropertiesCommandLineConverter.class
- org/gradle/wrapper/Download.class
- org/gradle/wrapper/PathAssembler.class
Lessons Learned
The recent attack on MinecraftOnline serves as a reminder that security is essential for every organization, including gaming communities. While the allure of the gaming world may lead some to overlook security best practices, the consequences of a breach can be severe. It is essential to be vigilant and take appropriate steps to protect against attacks, such as using strong passwords, keeping software up to date, and implementing security measures such as firewalls and intrusion detection systems. Gaming communities can help ensure a safe and enjoyable environment for all players by prioritizing security.
In particular, some key lessons can be learned from the MinecraftOnline breach:
Use SHA256 to verify the origin of JARs
SHA256 is a cryptographic hash function that produces a fixed-size output based on the input data. When a JAR is downloaded, its SHA256 checksum can be calculated and compared to a known good checksum for that file. If the two checksums match, it provides strong evidence that the JAR has not been tampered with and is the original file from the expected source. This helps ensure the integrity and authenticity of the JAR and reduces the risk of downloading and running malicious code.
Be cautious when granting access to new contributors
While new contributors can bring fresh ideas and energy to a project, it is essential to be careful when giving access. In the case of MinecraftOnline, the malicious Gradle wrapper JARs were uploaded by a new contributor to the project.
It is crucial to verify new contributors' identities and carefully review any changes made before allowing them to make further contributions. Additionally, it is vital to ensure that new contributors have a legitimate reason to access the project's codebase and are not trying to gain access for malicious purposes. Taking these precautions can help reduce the risk of a breach and ensure the project's integrity.
Keep software up to date
Outdated software can have known vulnerabilities that attackers can exploit. It is important to keep the software, including the operating system, web server, and plugins, up to date with the latest security patches.
Use two-factor authentication
Two-factor authentication can provide an extra layer of security by requiring users to provide two forms of authentication before granting access. For example, a user might be required to enter a code sent to their mobile device in addition to a password.
Conduct security audits
Regular security audits can help identify potential vulnerabilities and areas for improvement. By conducting audits, organizations can stay ahead of potential threats and take steps to prevent breaches.
By following these best practices, gaming communities can help ensure that their environments are secure and that their players can enjoy their games without worrying about the risk of a breach.