Sign up now to our Threat intelligence Newsletter and be the first to know about threats first in your inbox.
Discover the details of the confirmation of ABB ransomware attack and how the company swiftly responded. Learn about the Black Basta ransomware operators
Emby, a renowned media server platform, recently responded swiftly to an outbreak of hacks targeting a subset of user-hosted media server instances. The compromise was achieved by exploiting a known vulnerability combined with insecure admin account configurations. To safeguard users, Emby remotely shut down the affected servers as a precautionary measure. ## Detection and Response to Malicious Plugin Installation Upon detecting a malicious plugin within the compromised systems, Emby promptly took action. The company informed users of the affected servers through log file entries, emphasizing that the shutdown was implemented to mitigate potential risks to their safety. ## Exploitation and Proxy Header Vulnerability The series of attacks began in mid-May 2023, when threat actors specifically targeted Emby servers exposed to the Internet. These servers were further exploited due to insecure admin login configurations, allowing unauthorized access without the need for a password on the local network. To bypass the login restrictions imposed by the LAN, the attackers leveraged a flaw referred to as the "proxy header vulnerability." Emby had already acknowledged this vulnerability since February 2020 and subsequently addressed it in recent patches available in the beta channel. ## Installation of a Malicious Plugin and Emby's Mitigation Measures Upon gaining unauthorized access, the threat actors proceeded to install a malicious plugin on the compromised Emby instances. This plugin was designed to harvest the credentials of unsuspecting users signing into the compromised servers. Emby's response involved a careful analysis and evaluation of mitigation strategies. Consequently, the Emby team promptly developed and deployed an update to Emby Server instances. This update effectively detects and prevents the loading of the malicious plugin, thereby neutralizing its impact. ## Precautionary Shutdown for Disabling the Malicious Plugin In light of the severity and nature of the situation, Emby opted to shut down the affected servers as a precautionary measure. This strategic decision was intended to disable the malicious plugin and prevent any immediate escalation of the compromised environment. It also served to draw the attention of server administrators to address the issue promptly and directly. ## Recommendations for Server Administrators To effectively counter the threat and restore server functionality, Emby advises administrators to take the following steps: 1. **Removal of Malicious Files**: Administrators must delete the malicious "helper.dll" or "EmbyHelper.dll" files from the plugins folder in the Emby Server Data Folder, as well as from the cache and data subfolders. 2. **Blocking Access to Malware**: Adding a new entry, such as "emmm.spxaebjhxtmddsri.xyz 127.0.0.1," to the hosts file will block the malware's access to the attackers' server. 3. **Server Review**: Administrators should thoroughly review compromised servers for any recent changes, including suspicious user accounts, unknown processes, unknown network connections and open ports, SSH configurations, and firewall rules. It is also advisable to change all passwords to enhance security measures. ## Emby's Security Update and Ongoing Investigations Emby is committed to promptly addressing the issue and plans to release a security update, Emby Server 4.7.12, to rectify the vulnerability and reinforce the platform's defenses against similar threats. While Emby has not disclosed the exact number of impacted servers, a recent community post by Emby developer softworkz hinted at the successful takedown of a botnet composed of approximately 1,200 hacked Emby Servers. Further details are expected to be released soon. Emby remains dedicated to maintaining a secure and reliable media server platform and encourages users to stay vigilant as more information becomes available.
Threat landscape continues to evolve, with attackers employing increasingly sophisticated techniques to target sensitive information & compromise security systems. Recent reports have highlighted the emergence of phishing attacks utilizing encrypted RPMSG attachments sent through compromised Microsoft 365 accounts. These attacks pose significant risks to email security gateways and the protection of Microsoft credentials. This [Threatfeed](https://bit.ly/3Iwo62t) delves into the nature of these attacks, explores the characteristics of RPMSG files, and discusses strategies to detect, counter, and mitigate the associated risks. ## Understanding Encrypted RPMSG Attachments and Phishing Attacks Encrypted RPMSG files, short for restricted permission message files, are a file format utilized by Microsoft's Rights Management Services (RMS) to provide an extra layer of protection for sensitive information. These files allow authorized recipients to access and authenticate the content while ensuring its confidentiality. However, cybercriminals have now harnessed RPMSG attachments to deceive users and extract Microsoft credentials. Phishing attacks leveraging RPMSG attachments follow a common modus operandi. Attackers compromise Microsoft 365 accounts and use them to send phishing emails containing RPMSG files. The emails typically mimic trusted senders and employ social engineering techniques to lure recipients into opening malicious attachments. Once the recipient attempts to access the encrypted content, a fake login form is presented, which prompts the victim to enter their Microsoft account credentials. The attackers then harvest this information for malicious purposes. ## Exploiting Email Security Gateways and Concealing Attacks One of the primary challenges with these phishing attacks is their ability to evade detection by traditional email security gateways. By encrypting the message within the RPMSG file, attackers effectively conceal the malicious intent of the email, making it difficult for security systems to identify and mitigate the risks effectively. Furthermore, the RPMSG files often contain embedded links or hyperlinks that redirect unsuspecting victims to seemingly legitimate websites, such as the Office 365 sign-in page or fake SharePoint documents, creating a false sense of trust and legitimacy.  ***Protected Phishing Mails*** Additionally, attackers employ techniques like Adobe's InDesign service, where a seemingly harmless document prompts users with a message such as _"Click here to Continue."_ Once clicked, the document redirects the victim to an empty page displaying the text _"Loading...Wait,"_ which is actually a delay tactic to execute a malicious script in the background. This script collects valuable system information, including visitor ID, connect token, hash, video card renderer information, system language, device memory, hardware concurrency, installed browser plugins, browser window details, and OS architecture. Armed with this information, the attacker can create a cloned Microsoft 365 login form hosted on their servers, further complicating the detection process. ## Detecting, Countering, & Mitigating the Threat As these attacks continue to evolve, it is crucial to adopt proactive measures to detect, counter, and mitigate their risks. Here are some recommended strategies: 1. **Enhanced Email Scanning Gateways**: Organizations should strengthen their email security gateways by utilizing advanced threat detection mechanisms capable of analyzing encrypted attachments and identifying suspicious RPMSG files. By leveraging machine learning algorithms and anomaly detection techniques, these gateways can flag and quarantine potentially malicious emails for further analysis and investigation. 2. **Multi-Factor Authentication (MFA)**: Implementing MFA adds an additional layer of protection to Microsoft accounts, making it significantly harder for attackers to gain unauthorized access even if credentials are compromised. Enforcing MFA across all user accounts within an organization can greatly reduce the likelihood of successful phishing attacks. 3. **User Awareness and Education**: Organizations should invest in comprehensive cybersecurity awareness training for their employees, educating them about the risks associated with phishing attacks, including the specific techniques employed by attackers using encrypted RPMSG attachments. By promoting a culture of vigilance and providing employees with the necessary knowledge and tools to identify and report suspicious emails, organizations can effectively mitigate the impact of these attacks. 4. **Regular Security Updates**: Staying up to date with the latest security patches and updates for Microsoft 365 is crucial in mitigating the risks associated with phishing attacks. Microsoft frequently releases security updates and patches to address vulnerabilities exploited by attackers. By promptly applying these updates, organizations can stay one step ahead in protecting their systems and data.
"Protect Your WordPress Site: Beware Ongoing Attacks Exploiting Cookie Consent Plugin Vulnerability - Over 1.5M Sites Targeted! Stay vigilant as hackers are actively targeting an Unauthenticated Stored Cross-Site Scripting (XSS) vulnerability in the widely-used WordPress cookie consent plugin, Beautiful Cookie Consent Banner. With over 40,000 active installations, this exploit poses a significant risk. In an XSS attack, malicious JavaScript scripts are injected into vulnerable websites, compromising visitors' browsers and potentially leading to unauthorized access, session hijacking, malware infections, and even complete system compromise. The severity of the situation is further exacerbated by the fact that unpatched versions (up to and including 2.10.1) allow attackers to create unauthorized admin accounts on affected WordPress sites. Fortunately, the security flaw was patched in January with the release of version 2.10.2. However, attacks have been ongoing since February 5, 2023, with recent reports indicating a surge in activity against over 1.5 million sites, leading to nearly 3 million blocked attacks. While the current wave of attacks may not deploy a payload, it's crucial for admins and website owners using the Beautiful Cookie Consent Banner plugin to update to the latest version. Even unsuccessful attacks could corrupt the plugin's configuration, stored in the nsc_bar_bannersettings_json option. By updating to the patched versions, you can safeguard your site and ensure its resilience against potential future attacks. Don't let your website remain exposed, as threat actors have been actively probing vulnerable versions of other popular plugins as well. Stay proactive in protecting your WordPress site and prevent potential hijacking or unauthorized access by keeping your plugins up to date. Stay informed, stay secure!"