Attackers hacked into 1200 Emby servers and installed a malicious plugin that steals credentials

Company Embyspecializing in media server software informed which remotely shut down an undisclosed number of its users’ servers that were compromised through a known vulnerability and insecure administrative account configuration.

“We have detected a malicious plugin on your system that was probably installed without your knowledge. For security reasons, we have disabled your Emby server,” the company says in a message added to the log files of the affected servers.

Although the company did not name the exact number of affected servers, one of the company’s developers published a post in the Emby community titled “How we destroyed botnet of 1200 hacked Emby servers in 60 seconds”, which allows us to draw a clear conclusion about the scale of the incident.

The attacks began in the middle of this month, when attackers began targeting Emby’s private Internet-accessible servers and infiltrating those that allowed passwordless administrator access from the local network.

But in order to gain access to vulnerable servers from an external network, hackers used “vulnerability proxy header. It allowed the servers to be “fooled” into behaving as if the cybercriminals were connecting from the local network. Which allowed me to log in without a password. The vulnerability has been known since February 2020 and was recently patched in the beta channel of the Emby software.

Using the vulnerability, attackers managed to install malicious plugins on hacked servers. These plugins were designed to collect the credentials of any users connecting to compromised servers.

“After careful analysis and evaluation of possible mitigation strategies, the Emby team was able to release an update to the Emby servers that is able to detect the malicious plugin and prevent it from being loaded,” says Emby.

As Emby explained, stopping the affected servers was a precautionary measure to disable the malicious plugin, as well as to mitigate the escalation of the situation to the attention of administrators.

The company recommends that Emby administrators immediately remove the malicious “helper.dll” or “EmbuHelper.dll” files from the “plugins” folder and from the “cache” and “data” subfolders before restarting their servers. In addition, you must also block network access to the attacker’s server by adding a new line “emmm.spxaebjhxtmddsri.xyz 127.0.0.1” to the “hosts” file.

Infected servers should also be checked for recent changes, including:

• suspicious user accounts;
• unknown processes;
• unknown network connections and open ports;
• changed SSH configuration;
• changed firewall rules.

The company also strongly recommends changing all passwords that were used on the server, as well as installing the Emby Server 4.7.12 update as soon as it becomes available.