Emby, a prominent video server platform, announced a recent security incident in which it remotely shutdown a number of user-hosted instances due to hacking. Threat actors got unauthorized access to Emby servers by exploiting a known vulnerability and an unsecured admin account configuration. Emby acted quickly as a precautionary move to protect its users and limit future damage.
Details of the Attack:
The attacks on private Emby servers exposed to the Internet began in mid-May 2023. The hackers primarily targeted machines on the local network that permitted admin logins without a password. The threat actors successfully accessed susceptible servers, even while attempting to log in from outside the LAN, by exploiting a defect known as the "proxy header vulnerability," which had been addressed in the beta channel.
Compromised Instances and Malicious Plugin:
The hackers gained access to the compromised Emby instances and installed a malicious plugin. This plugin operated as a backdoor, allowing the collecting of user credentials for everyone who logged into the compromised servers. Emby's security team investigated the matter quickly and created an upgrade to detect and block the plugin from loading. In order to disable the malicious plugin and call administrators' attention to the issue, Emby decided to shut down the vulnerable servers.
Mitigation Steps for Admins:
Emby has given impacted admins guidelines on how to handle the matter. Administrators should delete the malicious helper.dll or EmbyHelper.dll files from the plugins folder, as well as erase the cache and data subfolders. They should also alter the hosts file to prevent malware access. Emby advises checking hacked servers for suspicious activities such as unknown user accounts, processes, network connections, and open ports. All passwords must be updated, and SSH configuration and firewall rules must be reviewed.
Emby's Response and Future Security Updates:
Emby took immediate action to protect its users and avoid additional harm by shutting down the infected servers. Emby Server 4.7.12, a security upgrade, will be released as soon as feasible to remedy the vulnerability exploited in the assault. While the actual number of servers affected is unknown, Emby developer softworkz hinted at taking down a botnet of 1,200 compromised Emby Servers in under a minute, promising to release the complete story soon.
The security situation involving compromised user-hosted media servers emphasizes the digital landscape's continual need for vigilance. Emby's proactive response displays their dedication to user safety and drive to patch vulnerabilities as soon as possible. Users should follow Emby's advice for mitigating the attack and stay alert for future security updates.
This blog was written by the Activated Solutions team. If you are a business owner or an individual concerned about your cybersecurity, it's time to take action. Activated Solutions can help you to protect your business and personal data from potential cyber threats.
Contact Activated Solutions today to learn more about how they can help you protect your business. With our expertise and commitment to cybersecurity, you can have peace of mind knowing that you are taking proactive steps to protect yourself and your business from potential data breaches.
For more information, please visit: activatedsolutions.ca.
Sources
Gatlan, Sergiu. “Emby shuts down user media servers hacked in recent attack.” Bleeping Computer, 26 May 2023, https://www.bleepingcomputer.com/news/security/emby-shuts-down-user-media-servers-hacked-in-recent-attack/. Accessed 6 June 2023.
Comments