Emby, a media server platform, has announced that it shut down an undisclosed number of user-hosted media server instances that were recently compromised in a cyberattack. The attackers exploited a known vulnerability and an insecure admin account configuration to gain unauthorized access.
Emby detected a malicious plugin installed on the affected servers and took the precaution of shutting them down to protect users. Admins are advised to delete the malicious files, review their servers for suspicious activity, and make necessary security changes.
Emby identified mid-May 2023 as the start of the attacks, with threat actors targeting Internet-exposed Emby servers and exploiting weak admin logins without passwords on the local network. By exploiting a proxy header vulnerability, the attackers gained access to the vulnerable servers from outside the LAN.
They then installed a malicious plugin to backdoor the compromised Emby instances and harvest user credentials. Emby responded by pushing out an update to detect and prevent the malicious plugin from loading.
Emby emphasized that the shutdown was a precautionary measure to disable the malicious plugin, prevent further escalation, and prompt admins to address the issue.
Admins are instructed to remove the malicious files, block malware access, review server changes for suspicious activity, and change all passwords. Emby is actively working on a security update to address the issue.
Although the number of impacted servers was not disclosed, a community post hinted at the takedown of a botnet comprising 1,200 hacked Emby Servers. Further details are expected to be released soon.
