Image: Bing Image Creator
Emby says it has remotely shut down an undisclosed number of user-hosted media server instances that were recently hacked by exploiting a previously known vulnerability and insecure administrator account setup.
“If your server has stopped and won’t restart, your server may have been affected by this,” the company said. warns users on its community website.
The attacks began in mid-May 2023 when attackers began targeting private Emby servers exposed to the internet and infiltrating those configured to allow passwordless administrator logins on the local network.
To trick servers into granting them access and obtaining admin servers on vulnerable servers even if they attempted to connect from outside the local network, threat actors exploited a flaw described by Emby as a “proxy header vulnerability”, known since at least February 2020 and recently patched in the beta channel.
Hackers used their access to hijack compromised Emby instances by installing a malicious plugin that harvests the credentials of all users connecting to hacked servers.
“After careful analysis and evaluation of possible mitigation strategies, the Emby team was able to release an update to Emby Server instances that is able to detect the plugin in question and prevent it from loading,” Emby said.
“Due to the severity and nature of this situation and out of an abundance of caution, we are preventing the affected servers from restarting after detection.”
As Emby explained in more detail, the shutdown of the affected servers was a precautionary measure to disable the malicious plugin, as well as to mitigate the immediate escalation of the situation and to draw the attention of administrators so that they deal directly with the problem.
Administrators are warned to check for any additional suspicious activity
Emby administrators are advised to immediately remove the malicious helper.dll or EmbuHelper.dll files from the plugins folder in the Emby server data folder and cache and data subfolders before restarting their servers.
They should also block the malware’s access to the attackers’ server by adding a new line “emmm.spxaebjhxtmddsri.xyz 127.0.0.1” in their hosts file.
Compromised servers should also be examined for any recent changes, including:
- Suspicious user accounts
- Unknown processes
- Unknown network connections and open ports
- SSH settings
- Firewall rules
- Change all passwords
Emby plans to release an Emby Server 4.7.12 security update as soon as possible to resolve the issue.
Although Emby did not reveal the number of servers affected by the attack, Emby developer softworkz added a new community post yesterday titled “How we took down a BotNet of hacked 1200 Emby servers in 60 seconds.”
However, the post only asks users to “pay attention to the full story coming shortly.”