Sign up now to our Threat intelligence Newsletter and be the first to know about threats first in your inbox.
Protect Your Microsoft Credentials: Learn How to Counter Encrypted RPMSG Phishing Attacks & Strengthen Email Security. Stay Safe Now!
Emby, a renowned media server platform, recently responded swiftly to an outbreak of hacks targeting a subset of user-hosted media server instances. The compromise was achieved by exploiting a known vulnerability combined with insecure admin account configurations. To safeguard users, Emby remotely shut down the affected servers as a precautionary measure. ## Detection and Response to Malicious Plugin Installation Upon detecting a malicious plugin within the compromised systems, Emby promptly took action. The company informed users of the affected servers through log file entries, emphasizing that the shutdown was implemented to mitigate potential risks to their safety. ## Exploitation and Proxy Header Vulnerability The series of attacks began in mid-May 2023, when threat actors specifically targeted Emby servers exposed to the Internet. These servers were further exploited due to insecure admin login configurations, allowing unauthorized access without the need for a password on the local network. To bypass the login restrictions imposed by the LAN, the attackers leveraged a flaw referred to as the "proxy header vulnerability." Emby had already acknowledged this vulnerability since February 2020 and subsequently addressed it in recent patches available in the beta channel. ## Installation of a Malicious Plugin and Emby's Mitigation Measures Upon gaining unauthorized access, the threat actors proceeded to install a malicious plugin on the compromised Emby instances. This plugin was designed to harvest the credentials of unsuspecting users signing into the compromised servers. Emby's response involved a careful analysis and evaluation of mitigation strategies. Consequently, the Emby team promptly developed and deployed an update to Emby Server instances. This update effectively detects and prevents the loading of the malicious plugin, thereby neutralizing its impact. ## Precautionary Shutdown for Disabling the Malicious Plugin In light of the severity and nature of the situation, Emby opted to shut down the affected servers as a precautionary measure. This strategic decision was intended to disable the malicious plugin and prevent any immediate escalation of the compromised environment. It also served to draw the attention of server administrators to address the issue promptly and directly. ## Recommendations for Server Administrators To effectively counter the threat and restore server functionality, Emby advises administrators to take the following steps: 1. **Removal of Malicious Files**: Administrators must delete the malicious "helper.dll" or "EmbyHelper.dll" files from the plugins folder in the Emby Server Data Folder, as well as from the cache and data subfolders. 2. **Blocking Access to Malware**: Adding a new entry, such as "emmm.spxaebjhxtmddsri.xyz 127.0.0.1," to the hosts file will block the malware's access to the attackers' server. 3. **Server Review**: Administrators should thoroughly review compromised servers for any recent changes, including suspicious user accounts, unknown processes, unknown network connections and open ports, SSH configurations, and firewall rules. It is also advisable to change all passwords to enhance security measures. ## Emby's Security Update and Ongoing Investigations Emby is committed to promptly addressing the issue and plans to release a security update, Emby Server 4.7.12, to rectify the vulnerability and reinforce the platform's defenses against similar threats. While Emby has not disclosed the exact number of impacted servers, a recent community post by Emby developer softworkz hinted at the successful takedown of a botnet composed of approximately 1,200 hacked Emby Servers. Further details are expected to be released soon. Emby remains dedicated to maintaining a secure and reliable media server platform and encourages users to stay vigilant as more information becomes available.
ABB, a Swiss-based multinational technology corporation and contractor for the United States government, has officially confirmed that it experienced a ransomware attack earlier this month that impacted certain systems. Although recognized for its proficiency in industrial control systems (ICS) and supervisory control and data acquisition (SCADA) systems, ABB experienced a security breach caused by an unauthorized third-party who infiltrated specific ABB systems and executed a ransomware program that could not spread itself. ## Breach Detection & Impact Assessment Implementing robust cybersecurity protocols by ABB facilitated the expeditious detection of the data breach, which triggered a thorough investigation into the matter. Initial results suggest that the perpetrators extracted particular information from the infiltrated devices. Currently, there is no empirical data indicating any immediate effect on client systems. ABB will notify the impacted parties if their data has been breached, showcasing the organization's dedication to transparency and preemptive correspondence with its stakeholders. ABB endeavors to uphold the confidence of its clientele, vendors, and persons whose personally identifiable information may have been compromised. ## Ransomware Attack Containment and Restoration ABB quickly controlled the recent [data breach](https://cyberplace.social/@GossiTheDog/110435348263242869), allowing critical services and systems to return to regular operation. Additionally, the company has implemented additional security measures to fix its network and prevent future attacks. By working closely with advisors and law enforcement, ABB aims to minimize the impact of this ransomware attack and prevent any potential recurrence. ## Threat Landscape: Black Basta Ransomware The Black Basta ransomware operators were identified as the source of the [ransomware attack on ABB](https://bit.ly/42Tp2Vc) on May 7th. Although ABB did not explicitly reveal the attackers' identity, external sources have verified the participation of the [Black Basta ransomware](https://bit.ly/38NlpJG) group. In April 2022, a Ransomware-as-a-Service (RaaS) entity known as Black Basta surfaced and promptly initiated double-extortion attacks on multiple corporate targets. The aforementioned ransomware syndicate has garnered infamy within the cybersecurity domain and has been associated with the monetarily incentivized cyber syndicate FIN7, otherwise referred to as Carbanak. The ABB cyber assault was aimed at the organization's Windows Active Directory, resulting in the compromise of numerous Windows-based systems. ABB took swift action following the security breach by immediately discontinuing VPN connections with its clients, thereby thwarting the unauthorized access of threat actors to other networks and the possibility of exacerbating the cyberattack. ## ABB's Commitment to Cybersecurity With $29.4 billion in revenue in 2022 and approximately 105,000 employees, ABB maintains a prominent position in the technology industry. The company's commitment to creating dependable industrial control systems (ICS) and SCADA systems has [attracted high-profile clients](https://new.abb.com/docs/librariesprovider15/campaigns/abb_federal-government-brochure-2022.pdf?sfvrsn=7fbc309_2) worldwide, including the U.S. Department of Defense and federal civilian agencies. ABB's proactive approach to cybersecurity includes improving its security posture continuously, collaborating with advisors and law enforcement, and implementing stringent measures to safeguard critical systems. By doing so, ABB strives to maintain the integrity of its operations and the trust of its customers, suppliers, and partners.