2022-23 Gradle Backdoor Attack

From MinecraftOnline
Jump to navigation Jump to search

In September 2022, MinecraftOnline was backdoored for the first time in over 10 years. getplayerhead.sh?IconPippi&16.png IconPippi, who used getplayerhead.sh?Caesena&16.png Caesena to evade their ban. They compromised the server's build tool, Gradle, to inject malicious code into a server plugin. This let them send commands to the server and view player information. The compromised build tool also included a Discord session stealer, meaning that developers who used the tool were vulnerable to having their Discord accounts stolen, though no such theft was reported.

The admins discovered the attack on 9 January 2023, and quickly started the investigation.

History

getplayerhead.sh?IconPippi&16.png IconPippi was previously banned for for stealing resources from staff using malware on 26 March 2021.

However, they ban evaded as getplayerhead.sh?Caesena&16.png Caesena and joined the developer team. Using this access, they compromised Gradle, which the server uses to build its plugins. No-one had successfully backdoored the server before. However, this novel attack, which Gradle had never seen, subverted Minecraftonline's security practices.

While the compromised software built normal plugins when manually tested, it injected two malicious programs when run automatically to build the plugins the server used. One of those could steal certain Discord sessions. The other let Icon execute commands on the server. This could be spawning items or looking at player emails, server logs and other data. Thankfully, passwords should be safe, as they were salted and hashed. Regardless, the admins advised players to change the passwords they shared with the wiki. The backdoor was added to the server in September 2022 but was made in July.

On 9 January 2023, the admins discovered the attack and quickly banned Icon. getplayerhead.sh?Selimbits&16.png Selimbits and getplayerhead.sh?r9q&16.png r9q were also banned on the 21st and 28th of January for receiving benefits from the backdoor. The admins checked the server's plugins and removed the backdoor. They also told Europol and Italian police about the attack, so that they may investigate it.

The admins are preventing similar attacks by automatically checking their build processes. They will also avoid letting attackers access the server's software by more deeply vetting developers.

More info