Cyber Incident Victim: Emby

In mid-May 2023, attackers initiated a campaign targeting internet-exposed private media servers running Emby software. The attackers infiltrated these user-hosted servers by exploiting two specific weaknesses in their configurations. The primary entry method involved targeting servers that were configured to allow administrator account logins without a password when accessed from the local network. To bypass the network restriction and gain administrative access from outside the local area network (LAN), the threat actors exploited a separate vulnerability described by Emby as a "proxy header vulnerability." This particular security flaw had been publicly known since at least February 2020 and had recently been addressed in a patch released in the beta channel of the software. This combination of an insecure default configuration and a known vulnerability allowed the attackers to gain unauthorized admin-level access to the Emby server instances.

Upon successfully compromising a server, the attackers took steps to backdoor the system to maintain persistence and gather data. Their primary action was to install a malicious plugin onto the compromised Emby servers. The purpose of this plugin was to harvest the login credentials of all users who subsequently signed into the hacked media servers. This credential harvesting operation posed a significant risk to the privacy and security of the end-users accessing those media libraries. The specific malicious files were identified as `helper.dll` or `EmbyHelper.dll`.

The Emby development team detected this malicious activity and initiated a response. After conducting careful analysis and evaluating potential mitigation strategies, the team developed and pushed out an update to all Emby Server instances. This update was designed to detect the presence of the malicious plugin and prevent it from being loaded by the system. As a further containment measure, the company made the decision to remotely shut down an undisclosed number of user-hosted media server instances that were found to be compromised. This action was taken as a precaution to immediately disable the malicious plugin's operation, mitigate any further escalation of the incident, and force the attention of the system administrators to address the issue.

The company communicated this action directly to the affected users by adding new entries to their servers' log files. The message stated, "We have detected a malicious plugin on your system which has probably been installed without your knowledge. For your safety we have shutdown your Emby Server as a precautionary measure." This remote shutdown prevented the affected servers from starting up again automatically after the detection was made, ensuring the malicious code remained inactive until an admin manually intervened.

In a community post, an Emby developer using the name softworkz provided an additional data point regarding the scope of the incident. The post was titled "How we took down a BotNet of 1200 hacked Emby Servers within 60 seconds," indicating that the number of compromised servers they identified and disabled was approximately 1,200. The company did not officially confirm this number in its broader communications, but the post suggests the scale of the botnet that had been established using the hacked servers.

The response actions required from administrators of compromised servers were detailed by Emby. Before restarting their servers, admins were instructed to manually delete the malicious `helper.dll` or `EmbyHelper.dll` files from the plugins folder within the Emby Server Data Folder, as well as from the cache and data subfolders. To block the malware's communication and prevent it from exfiltrating harvested credentials, administrators were advised to modify their system's hosts file by adding a new line: "emmm.spxaebjhxtmddsri.xyz 127.0.0.1". This would redirect any connection attempts to the attackers' command-and-control server back to the local machine.

Emby also instructed administrators of compromised systems to conduct a thorough review for any signs of additional suspicious activity that may have occurred during the breach. This review was to include checking for any newly created suspicious user accounts, identifying unknown processes running on the system, investigating unknown network connections and open ports, reviewing SSH configuration for unauthorized changes, examining firewall rules for modifications, and changing all passwords associated with the server and user accounts as a precaution. The company announced plans to release a formal security update, Emby Server version 4.7.12, to address the underlying vulnerabilities exploited in the attack as soon as possible. The remote shutdown of servers was characterized as an immediate containment action taken in an abundance of caution due to the severity and nature of the situation, intended to protect users until the permanent patch could be deployed and applied.