BTC $56772.0455
ETH $3229.2692
BNB $393.0365
SOL $106.6536
stETH $3224.6597
XRP $0.5621
ADA $0.6137
AVAX $38.6261
DOGE $0.0960
TRX $0.1415
wstETH $3753.2551
DOT $8.0619
LINK $18.8685
WETH $3222.5827
MATIC $1.0217
UNI $10.5943
WBTC $56672.8182
IMX $3.2827
ICP $12.8638
BCH $296.0952
LTC $73.4211
CAKE $3.1049
LEO $4.3751
ETC $27.6986
FIL $7.7121
KAS $0.1681
RNDR $7.1714
DAI $0.9992
HBAR $0.1085
ATOM $10.9103
INJ $37.3719
VET $0.0480
TON $2.1032
OKB $51.5043
FDUSD $1.0007
LDO $3.4620
STX $3.0518
XMR $133.5710
ARB $1.8885
XLM $0.1189
GRT $0.2844
TIA $16.9400
NEAR $3.9210
ENS $21.6903
MKR $2126.5962
WEMIX $2.0704
APEX $2.3723
BTC $56772.0455
ETH $3229.2692
BNB $393.0365
SOL $106.6536
stETH $3224.6597
XRP $0.5621
ADA $0.6137
AVAX $38.6261
DOGE $0.0960
TRX $0.1415
wstETH $3753.2551
DOT $8.0619
LINK $18.8685
WETH $3222.5827
MATIC $1.0217
UNI $10.5943
WBTC $56672.8182
IMX $3.2827
ICP $12.8638
BCH $296.0952
LTC $73.4211
CAKE $3.1049
LEO $4.3751
ETC $27.6986
FIL $7.7121
KAS $0.1681
RNDR $7.1714
DAI $0.9992
HBAR $0.1085
ATOM $10.9103
INJ $37.3719
VET $0.0480
TON $2.1032
OKB $51.5043
FDUSD $1.0007
LDO $3.4620
STX $3.0518
XMR $133.5710
ARB $1.8885
XLM $0.1189
GRT $0.2844
TIA $16.9400
NEAR $3.9210
ENS $21.6903
MKR $2126.5962
WEMIX $2.0704
APEX $2.3723
  • Catalog
  • Blog
  • Tor Relay
  • Jabber
  • One-Time notes
  • Temp Email
  • What is TOR?
  • We are in tor
  • Attackers hacked into 1200 Emby servers and installed a malicious plugin that steals credentials

    The company approached the attack responsibly, shutting down the compromised servers and sending out a detailed list of recommendations to customers.

    Media server software company Emby has announced that it has remotely shut down an undisclosed number of its users' servers that were compromised through a known vulnerability and an insecure administrative account configuration.

    “We have detected a malicious plugin on your system that was probably installed without your knowledge. For security reasons, we have disabled your Emby server,” the company says in a message added to the log files of the affected servers.

    Although the company did not name the exact number of affected servers, one of the company's developers published a post in the Emby community entitled "How we destroyed a botnet of 1200 hacked Emby servers in 60 seconds", which allows us to draw a clear conclusion about the scale of the incident.

    The attacks began in the middle of this month, when attackers began targeting Emby's private Internet-accessible servers and infiltrating those that allowed passwordless administrator access from the local network.

    But in order to gain access to vulnerable servers from the outside network, hackers exploited a "proxy header vulnerability". It allowed the servers to be "fooled" into behaving as if the cybercriminals were connecting from the local network. Which allowed me to log in without a password. The vulnerability has been known since February 2020 and was recently patched in the beta channel of the Emby software.

    Using the vulnerability, attackers managed to install malicious plugins on hacked servers. These plugins were designed to collect the credentials of any users connecting to compromised servers.

    “After careful analysis and evaluation of possible mitigation strategies, the Emby team was able to release an update to the Emby servers that is able to detect the malicious plugin and prevent it from being loaded,” says Emby.

    As Emby explained, stopping the affected servers was a precautionary measure to disable the malicious plugin, as well as to mitigate the escalation of the situation to the attention of administrators.

    The company recommends that Emby administrators immediately remove the malicious "helper.dll" or "EmbuHelper.dll" files from the "plugins" folder and from the "cache" and "data" subfolders before restarting their servers. In addition, you must also block network access to the attacker's server by adding a new line "emmm.spxaebjhxtmddsri.xyz 127.0.0.1" to the "hosts" file.

    Infected servers should also be checked for recent changes, including:

    suspicious user accounts;
    unknown processes;
    unknown network connections and open ports;
    changed SSH configuration;
    changed firewall rules.

    The company also strongly recommends changing all passwords that were used on the server, as well as installing the Emby Server 4.7.12 update as soon as it becomes available.

    Author DeepWeb
    LockBit ransomware stole and published the data of 9 million medical patients MCNA Dental
    BlackCat hackers declassified Google and Meta cooperation with intelligence agencies

    Comments 0

    Add comment