The BleedingPipe Saga: Unveiling Minecraft’s Vulnerability Targeting Nintendo Devices and Beyond

Estimated read time 4 min read


When you think of Minecraft, the notions that come to mind are creativity, endless possibilities, and perhaps an escape from the real world into a blocky universe. With over 238 million copies sold and almost 140 million monthly active players, Minecraft has earned its reputation as the best-selling video game in history. But beneath the pixelated skies and cubic cows, there’s a darker narrative unfolding: a tale of security breaches and vulnerabilities that could potentially compromise millions of players around the globe.

This article dives deep into a new cybersecurity threat targeting Minecraft, specifically on Nintendo devices, and explores its broader implications.

Tethris Unveils a Bombshell: The BleedingPipe Vulnerability

Cybersecurity researchers from Tethris1 made waves in the community when they reported a Remote Code Execution (RCE) vulnerability in Minecraft. Dubbed as BleedingPipe, this security flaw has been actively exploited since its discovery at the end of July 2023. The vulnerability affects not just the core game but also extends its tentacles into popular mods, making it a pervasive threat.

According to Tethris, threat actors have been scanning the IPv4 address space to mass-exploit vulnerable Minecraft servers2. Subsequently, a likely malicious payload is deployed onto the compromised servers.

A Surge in Nintendo Device Fingerprinting

In September, Tethris’s honeypots recorded a spike in exploit attempts emanating from threat actors using Nintendo fingerprints on port TCP/25565. The highlight was a noticeable spike on the 3rd of October. This led to a hypothesis: threat actors could be impersonating Nintendo devices to locate other vulnerable devices with port TCP/25565 open.

While the exact goal remains unclear, the evidence suggests a possible plan to create a massive Nintendo Minecraft botnet. Tethris recorded only eight unique IP addresses targeting their worldwide honeypots in this specific manner, indicating a focused, rather than scattergun approach.

The IoC List: VirusTotal Community and Beyond

Of the eight IP addresses, some were known to the VirusTotal community while others weren’t. These IPs originated from a variety of ASNs (Autonomous System Numbers) and countries, hinting at a global scale of operations. Interestingly, two of these threat actors, already flagged by the VirusTotal community as malicious, were also attempting to reach out to hundreds of other ports in addition to port TCP/255653. This multifaceted approach indicates that these actors are not just content with exploiting one vulnerability but are on a quest to find multiple points of entry.

The Nintendo Connection: Ports and Protocols

For a Nintendo device to function correctly, several ports and protocols must be enabled. As per Nintendo’s consumer manuals, unrestricted access to various sites across multiple ports and protocols is necessary. The threat actors seem to be capitalizing on this, either to create a botnet or perhaps as a result of IP spoofing. This raises critical questions about the inherent security design of IoT devices like Nintendo consoles, especially when they are susceptible to such vulnerabilities.

Geographical Targeting: Europe Takes the Lead

Tethris’s honeypots in Europe were significantly more targeted in this exploit campaign compared to those in Asia, specifically Singapore and Japan. This geographical pattern could provide clues about the threat actors’ strategic focus and may indicate the need for heightened cybersecurity measures in these targeted regions.

Colombian Threat Actor in Focus

Among the various IP addresses, one originating from Colombia gained particular attention for targeting Tethris honeypots since August. This IP, which is flagged as malicious by the VirusTotal community, primarily focused on SSH bruteforce attempts. The targeted honeypots spanned multiple countries and recorded almost 400 hits between August 22nd and 29th. Most of the attempts remained with default login and password, indicating either a lack of sophistication or a strategy to target low-hanging fruits.

The Resurgence of Muieblackcat Scanner

In another interesting development, a Bulgarian IP address targeted an Indian honeypot using the Muieblackcat Scanner4 on TCP/80. This scanner has been known since at least 2015 and is used for vulnerability scanning on web servers. The fact that such an old tool is still being used serves as a sobering reminder that threat actors don’t always need new tools to exploit vulnerabilities; sometimes, the old ones work just fine.

  1. ↩︎
  2. ↩︎
  3. ↩︎
  4. ↩︎
Reza Rafati

Reza Rafati, based in the Netherlands, is the founder of An industry professional providing insightful commentary on infosec, cybercrime, cyberwar, and threat intelligence, Reza dedicates his work to bolster digital defenses and promote cyber awareness.

You May Also Like

More From Author

+ There are no comments

Add yours