Emby shuts down user media servers hacked in recent attack

Image: Bing Image Creator

Emby says it remotely shut down an undisclosed number of user-hosted media server instances that were recently hacked by exploiting a previously known vulnerability and an insecure admin account configuration.

"If your server has shut down and will not start again, it is possible that your server has been affected by this," the company warns users on its community website.

The attacks began in mid-May 2023 when the attackers started targeting Internet-exposed private Emby servers and infiltrating those configured to allow admin logins without a password on the local network.

To trick the servers into granting them access and gain admin servers to the vulnerable servers even though they were attempting to log in from outside the LAN, the threat actors exploited a flaw described by Emby as a "proxy header vulnerability," known since at least February 2020 and recently patched in the beta channel.

The hackers used their access to backdoor the compromised Emby instances by installing a malicious plugin that harvests the credentials of all users signing into the hacked servers.

"After careful analysis and evaluation of possible strategies for mitigation, the Emby team was able to push out an update to Emby Server instances which is able to detect the plugin in question and prevents it from being loaded," Emby said.

"Due to the severity and the nature of this situation and in an abundance of caution we are preventing affected servers to start up again after the detection."

As Emby further explained, shutting down the affected servers was a precautionary measure aiming to disable the malicious plugin, as well as to mitigate the immediate escalation of the situation and draw the admins' attention to address the issue directly.

Admins warned to check for additional suspicious activity

Emby admins are advised to immediately delete the malicious helper.dll or EmbuHelper.dll files from the plugins folder in the Emby Server Data Folder and from the cache and data subfolders before starting their servers again.

They should also block the malware's access to the attackers' server by adding a new "emmm.spxaebjhxtmddsri.xyz 127.0.0.1" line in their hosts file.

Compromised servers should also be reviewed for any recent changes, including:

Emby plans to release an Emby Server 4.7.12 security update as soon as possible to address the issue.

While Emby didn't reveal how many servers were impacted in the attack, Emby developer softworkz added a new community post yesterday titled "How we took down a BotNet of 1200 hacked Emby Servers within 60 seconds."

However, the post only asks users to "watch out for the full story coming shortly."