Image: Bing Image Creator
Emby says it remotely shut down an undisclosed number of user-hosted media server instances that were recently hacked by exploiting a previously known vulnerability and an insecure admin account configuration.
“We have detected a malicious plugin on your system which has probably been installed without your knowledge. [..] For your safety we have shutdown your Emby Server as a precautionary measure,” the company informed users of affected servers in new entries added to the log files.
The attacks began in mid-May 2023 when the attackers started targeting Internet-exposed private Emby servers and infiltrating those configured to allow admin logins without a password on the local network.
To trick the servers into granting them access and gain admin servers to the vulnerable servers even though they were attempting to log in from outside the LAN, the threat actors exploited a flaw described by Emby as a “proxy header vulnerability,” known since at least February 2020 and recently patched in the beta channel.
The hackers used their access to backdoor the compromised Emby instances by installing a malicious plugin that harvests the credentials of all users signing into the hacked servers.
“After careful analysis and evaluation of possible strategies for mitigation, the Emby team was able to push out an update to Emby Server instances which is able to detect the plugin in question and prevents it from being loaded,” Emby said.
“Due to the severity and the nature of this situation and in an abundance of caution we are preventing affected servers to start up again after the detection.”
As Emby further explained, shutting down the affected servers was a precautionary measure aiming to disable the malicious plugin, as well as to mitigate the immediate escalation of the situation and draw the admins’ attention to address the issue directly.
Admins warned to check for additional suspicious activity
Emby admins are advised to immediately delete the malicious helper.dll or EmbuHelper.dll files from the plugins folder in the Emby Server Data Folder and from the cache and data subfolders before starting their servers again.
They should also block the malware’s access to the attackers’ server by adding a new “emmm.spxaebjhxtmddsri.xyz 127.0.0.1” line in their hosts file.
Compromised servers should also be reviewed for any recent changes, including:
- Suspicious user accounts
- Unknown processes
- Unknown network connections and open ports
- SSH configuration
- Firewall rules
- Change all passwords
Emby plans to release an Emby Server 4.7.12 security update as soon as possible to address the issue.
While Emby didn’t reveal how many servers were impacted in the attack, Emby developer softworkz added a new community post yesterday titled “How we took down a BotNet of 1200 hacked Emby Servers within 60 seconds.”
However, the post only asks users to “watch out for the full story coming shortly.”