A very messy fix - Emby remotely shuts down hacked user media servers, after not fixing a vulnerability for 3 years
Take action: Emby themselves hacked into compromised user servers to stop them after not fixing the vulnerability for three years! Ignoring a vulnerability in your system for years and then making a "special forces" move makes you untrustworthy, not brilliant.
Learn More
Emby, a company developing an open source media server has taken action to shut down user-hosted media server instances that were hacked in a recent attack.
The hackers exploited a known vulnerability and an insecure admin account configuration to gain access to the servers and install a malicious plugin that harvested user credentials.
The hacker attack started mid-May 2023 when the attackers targeted Internet-exposed private Emby servers and infiltrating those configured to allow admin logins without a password. The threat actors exploited a flaw described by Emby as a "proxy header vulnerability," known since at least February 2020 and recently patched in the beta channel.
Emby states that they have remotely shut down the affected servers as a precautionary measure, and administrators are advised to delete the malicious files, review server changes, and take additional security measures:
Block the malware's access to the attackers' server by adding a new hosts file record: "emmm.spxaebjhxtmddsri.xyz 127.0.0.1".
The servers should be reviewed for any recent changes, including:
- Suspicious user accounts
- Unknown processes
- Unknown network connections and open ports
- SSH configuration
- Firewall rules
- Change all passwords
Emby plans to release a full security update to address the issue.
Although the exact number of impacted servers has not been disclosed, the developer softworkz added a new community post titled "How we took down a BotNet of 1200 hacked Emby Servers within 60 seconds."
