BTC $55865.7639
ETH $3222.4858
BNB $400.6682
SOL $110.6842
XRP $0.5548
ADA $0.6230
AVAX $39.2767
DOGE $0.0896
TRX $0.1404
wstETH $3751.1765
LINK $19.0474
DOT $8.0594
WETH $3236.9354
MATIC $1.0625
UNI $10.5983
WBTC $55965.3668
IMX $3.3901
ICP $13.0143
BCH $300.6764
LTC $74.8911
CAKE $3.2355
FIL $8.1517
ETC $28.1561
RNDR $7.4096
KAS $0.1718
DAI $0.9979
HBAR $0.1117
ATOM $11.3293
VET $0.0491
INJ $36.5642
TON $2.1072
OKB $51.3395
LDO $3.5443
FDUSD $1.0015
STX $3.0723
ARB $1.9162
NEAR $4.0168
XMR $131.7677
TIA $17.0755
XLM $0.1186
GRT $0.2823
ENS $22.2643
THETA $2.1117
MKR $2155.4331
WEMIX $2.1023
APEX $2.4575
BEAM $0.0357
BTC $55865.7639
ETH $3222.4858
BNB $400.6682
SOL $110.6842
XRP $0.5548
ADA $0.6230
AVAX $39.2767
DOGE $0.0896
TRX $0.1404
wstETH $3751.1765
LINK $19.0474
DOT $8.0594
WETH $3236.9354
MATIC $1.0625
UNI $10.5983
WBTC $55965.3668
IMX $3.3901
ICP $13.0143
BCH $300.6764
LTC $74.8911
CAKE $3.2355
FIL $8.1517
ETC $28.1561
RNDR $7.4096
KAS $0.1718
DAI $0.9979
HBAR $0.1117
ATOM $11.3293
VET $0.0491
INJ $36.5642
TON $2.1072
OKB $51.3395
LDO $3.5443
FDUSD $1.0015
STX $3.0723
ARB $1.9162
NEAR $4.0168
XMR $131.7677
TIA $17.0755
XLM $0.1186
GRT $0.2823
ENS $22.2643
THETA $2.1117
MKR $2155.4331
WEMIX $2.1023
APEX $2.4575
BEAM $0.0357
  • Catalog
  • Blog
  • Tor Relay
  • Jabber
  • One-Time notes
  • Temp Email
  • What is TOR?
  • We are in tor
  • Attackers hacked into 1200 Emby servers and installed a malicious plugin that steals credentials

    The company approached the attack responsibly, shutting down the compromised servers and sending out a detailed list of recommendations to customers.

    Media server software company Emby has announced that it has remotely shut down an undisclosed number of its users' servers that were compromised through a known vulnerability and an insecure administrative account configuration.

    “We have detected a malicious plugin on your system that was probably installed without your knowledge. For security reasons, we have disabled your Emby server,” the company says in a message added to the log files of the affected servers.

    Although the company did not name the exact number of affected servers, one of the company's developers published a post in the Emby community entitled "How we destroyed a botnet of 1200 hacked Emby servers in 60 seconds", which allows us to draw a clear conclusion about the scale of the incident.

    The attacks began in the middle of this month, when attackers began targeting Emby's private Internet-accessible servers and infiltrating those that allowed passwordless administrator access from the local network.

    But in order to gain access to vulnerable servers from the outside network, hackers exploited a "proxy header vulnerability". It allowed the servers to be "fooled" into behaving as if the cybercriminals were connecting from the local network. Which allowed me to log in without a password. The vulnerability has been known since February 2020 and was recently patched in the beta channel of the Emby software.

    Using the vulnerability, attackers managed to install malicious plugins on hacked servers. These plugins were designed to collect the credentials of any users connecting to compromised servers.

    “After careful analysis and evaluation of possible mitigation strategies, the Emby team was able to release an update to the Emby servers that is able to detect the malicious plugin and prevent it from being loaded,” says Emby.

    As Emby explained, stopping the affected servers was a precautionary measure to disable the malicious plugin, as well as to mitigate the escalation of the situation to the attention of administrators.

    The company recommends that Emby administrators immediately remove the malicious "helper.dll" or "EmbuHelper.dll" files from the "plugins" folder and from the "cache" and "data" subfolders before restarting their servers. In addition, you must also block network access to the attacker's server by adding a new line "emmm.spxaebjhxtmddsri.xyz 127.0.0.1" to the "hosts" file.

    Infected servers should also be checked for recent changes, including:

    suspicious user accounts;
    unknown processes;
    unknown network connections and open ports;
    changed SSH configuration;
    changed firewall rules.

    The company also strongly recommends changing all passwords that were used on the server, as well as installing the Emby Server 4.7.12 update as soon as it becomes available.

    Author DeepWeb
    LockBit ransomware stole and published the data of 9 million medical patients MCNA Dental
    BlackCat hackers declassified Google and Meta cooperation with intelligence agencies

    Comments 0

    Add comment