There seems to be no let up in the number of attacks targeting the ongoing Log4j vulnerability with the Log4Shell malware exploit. Earlier this week, Microsoft updated its page covering the threat to confirm attackers are folding the exploit into their wider arsenals. That includes mysteriously targeting Minecraft servers.

“We have observed many existing attackers adding exploits of these vulnerabilities in their existing malware kits and tactics, from coin miners to hands-on-keyboard attacks,” according to Microsoft.

Recent reports also show Log4Shell attacks are now coming from known nation-backed threat actors.


Microsoft initially announced it was tracking an active exploit of a Log4j flaw in December and that it has the potential to infect millions of systems. Log4Shell is rated as a critical flaw within the open-source logging library. Because Log4j is common in cloud services, the potential for this exploit to be dangerous is high.

The company later said state-sponsored groups are actively using the exploit too. Versions 2.0 to 2.14.1 of the Log4j software have a vulnerability that allows attackers to engage in remote execution attacks. If successful, the hack leaves the threat actor with control of the device. Apache Software Foundation has set out version 2.15.0 to patch the flaw.

All remove code execution (RCE) vulnerabilities in the Apache Log4j software are labelled as Log4Shell, but there are three separate flaws: CVE-2021-44228, CVE-2021-45046, CVE-2021-44832.

Minecraft Servers

In its most recent update, Microsoft says attackers continue to target Minecraft servers. Microsoft Defender and third-party security tools have found attack cases coming from breached Minecraft servers. These are not official servers but rather ones that have been modified using the vulnerable versions of Log4j 2.

“In these cases, an adversary sends a malicious in-game message to a vulnerable Minecraft server, which exploits CVE-2021-44228 to retrieve and execute an attacker-hosted payload on both the server and on connected vulnerable clients,” Microsoft says. “We observed exploitation leading to a malicious Java class file that is the Khonsari ransomware, which is then executed in the context of javaw.exe to ransom the device.”

Of course, this particular attack won’t affect many enterprises because businesses don’t typically have Minecraft installed. Microsoft admits the reason for targeting Minecraft is unclear.

“These techniques are typically associated with enterprise compromises with the intent of lateral movement,” Microsoft points out.

Microsoft is telling Minecraft users who have their own mod servers to use the latest server update and for general users to only join trusted servers.

Tip of the day: Hard drives are getting faster and more affordable every day, but unfortunately, their moving parts will always make them loud and mean their power draw isn’t insignificant. This can be a particular issue for those with laptops, leading many to wonder how to turn off a hard disk after it reaches an idle state. In our tutorial we are showing you Windows 10: How to Turn off Hard Disk after Idle to Save Power .