Health Care
Education
IT & Telecom
Government
CISO/CTO
DevSecops
Product
Our Product
We are Reshaping the way Developers find and fix vulnerabilities before they get exploited.
Threatspy
Solutions
By Industry
Health Care
Education
IT & Telecom
By Role
Government
CISO/CTO
DevSecops
Resources
Resource Library
Get actionable insight straight from our threat Intel lab to keep you informed about the ever-changing Threat landscape.
Threat Feeds
Threat Research
White Paper
SB Blogs
Subscribe to Our Weekly Threat Digest
Company
Contact Us
Have queries, feedback or prospects? Get in touch and we shall be with you shortly.
Our Story
Our Team
Careers
Press & Media
Contact Us
Request Demo
By submitting this form, you agree to our Subscription Agreement and Legal Policies.
Be informed in your inbox
Sign up now to our Threat intelligence Newsletter and be the first to know about threats first in your inbox.
RPMSG
Phishing
Microsoft 365
Encrypted RPMSG Attachments & Evolving Microsoft 365 Phishing Attacks
Protect Your Microsoft Credentials: Learn How to Counter Encrypted RPMSG Phishing Attacks & Strengthen Email Security. Stay Safe Now!
26-May-2023
4 min read
Related Articles
Server
Emby
Hack
Emby takes swift action against recent server hacks. Learn about the vulnerabili...
Emby, a renowned media server platform, recently responded swiftly to an outbreak of hacks targeting a subset of user-hosted media server instances. The compromise was achieved by exploiting a known vulnerability combined with insecure admin account configurations. To safeguard users, Emby remotely shut down the affected servers as a precautionary measure. ## Detection and Response to Malicious Plugin Installation Upon detecting a malicious plugin within the compromised systems, Emby promptly took action. The company informed users of the affected servers through log file entries, emphasizing that the shutdown was implemented to mitigate potential risks to their safety. ## Exploitation and Proxy Header Vulnerability The series of attacks began in mid-May 2023, when threat actors specifically targeted Emby servers exposed to the Internet. These servers were further exploited due to insecure admin login configurations, allowing unauthorized access without the need for a password on the local network. To bypass the login restrictions imposed by the LAN, the attackers leveraged a flaw referred to as the "proxy header vulnerability." Emby had already acknowledged this vulnerability since February 2020 and subsequently addressed it in recent patches available in the beta channel. ## Installation of a Malicious Plugin and Emby's Mitigation Measures Upon gaining unauthorized access, the threat actors proceeded to install a malicious plugin on the compromised Emby instances. This plugin was designed to harvest the credentials of unsuspecting users signing into the compromised servers. Emby's response involved a careful analysis and evaluation of mitigation strategies. Consequently, the Emby team promptly developed and deployed an update to Emby Server instances. This update effectively detects and prevents the loading of the malicious plugin, thereby neutralizing its impact. ## Precautionary Shutdown for Disabling the Malicious Plugin In light of the severity and nature of the situation, Emby opted to shut down the affected servers as a precautionary measure. This strategic decision was intended to disable the malicious plugin and prevent any immediate escalation of the compromised environment. It also served to draw the attention of server administrators to address the issue promptly and directly. ## Recommendations for Server Administrators To effectively counter the threat and restore server functionality, Emby advises administrators to take the following steps: 1. **Removal of Malicious Files**: Administrators must delete the malicious "helper.dll" or "EmbyHelper.dll" files from the plugins folder in the Emby Server Data Folder, as well as from the cache and data subfolders. 2. **Blocking Access to Malware**: Adding a new entry, such as "emmm.spxaebjhxtmddsri.xyz 127.0.0.1," to the hosts file will block the malware's access to the attackers' server. 3. **Server Review**: Administrators should thoroughly review compromised servers for any recent changes, including suspicious user accounts, unknown processes, unknown network connections and open ports, SSH configurations, and firewall rules. It is also advisable to change all passwords to enhance security measures. ## Emby's Security Update and Ongoing Investigations Emby is committed to promptly addressing the issue and plans to release a security update, Emby Server 4.7.12, to rectify the vulnerability and reinforce the platform's defenses against similar threats. While Emby has not disclosed the exact number of impacted servers, a recent community post by Emby developer softworkz hinted at the successful takedown of a botnet composed of approximately 1,200 hacked Emby Servers. Further details are expected to be released soon. Emby remains dedicated to maintaining a secure and reliable media server platform and encourages users to stay vigilant as more information becomes available.
27-May-2023
3 min read
Black Basta
Ransomware
ABB
Discover the details of the confirmation of ABB ransomware attack and how the co...
ABB, a Swiss-based multinational technology corporation and contractor for the United States government, has officially confirmed that it experienced a ransomware attack earlier this month that impacted certain systems. Although recognized for its proficiency in industrial control systems (ICS) and supervisory control and data acquisition (SCADA) systems, ABB experienced a security breach caused by an unauthorized third-party who infiltrated specific ABB systems and executed a ransomware program that could not spread itself. ## Breach Detection & Impact Assessment Implementing robust cybersecurity protocols by ABB facilitated the expeditious detection of the data breach, which triggered a thorough investigation into the matter. Initial results suggest that the perpetrators extracted particular information from the infiltrated devices. Currently, there is no empirical data indicating any immediate effect on client systems. ABB will notify the impacted parties if their data has been breached, showcasing the organization's dedication to transparency and preemptive correspondence with its stakeholders. ABB endeavors to uphold the confidence of its clientele, vendors, and persons whose personally identifiable information may have been compromised. ## Ransomware Attack Containment and Restoration ABB quickly controlled the recent [data breach](https://cyberplace.social/@GossiTheDog/110435348263242869), allowing critical services and systems to return to regular operation. Additionally, the company has implemented additional security measures to fix its network and prevent future attacks. By working closely with advisors and law enforcement, ABB aims to minimize the impact of this ransomware attack and prevent any potential recurrence. ## Threat Landscape: Black Basta Ransomware The Black Basta ransomware operators were identified as the source of the [ransomware attack on ABB](https://bit.ly/42Tp2Vc) on May 7th. Although ABB did not explicitly reveal the attackers' identity, external sources have verified the participation of the [Black Basta ransomware](https://bit.ly/38NlpJG) group. In April 2022, a Ransomware-as-a-Service (RaaS) entity known as Black Basta surfaced and promptly initiated double-extortion attacks on multiple corporate targets. The aforementioned ransomware syndicate has garnered infamy within the cybersecurity domain and has been associated with the monetarily incentivized cyber syndicate FIN7, otherwise referred to as Carbanak. The ABB cyber assault was aimed at the organization's Windows Active Directory, resulting in the compromise of numerous Windows-based systems. ABB took swift action following the security breach by immediately discontinuing VPN connections with its clients, thereby thwarting the unauthorized access of threat actors to other networks and the possibility of exacerbating the cyberattack. ## ABB's Commitment to Cybersecurity With $29.4 billion in revenue in 2022 and approximately 105,000 employees, ABB maintains a prominent position in the technology industry. The company's commitment to creating dependable industrial control systems (ICS) and SCADA systems has [attracted high-profile clients](https://new.abb.com/docs/librariesprovider15/campaigns/abb_federal-government-brochure-2022.pdf?sfvrsn=7fbc309_2) worldwide, including the U.S. Department of Defense and federal civilian agencies. ABB's proactive approach to cybersecurity includes improving its security posture continuously, collaborating with advisors and law enforcement, and implementing stringent measures to safeguard critical systems. By doing so, ABB strives to maintain the integrity of its operations and the trust of its customers, suppliers, and partners.
27-May-2023
3 min read
WordPress
Vulnerability
XSS
Over 1.5M WordPress sites at risk! Ongoing attacks exploit a cookie consent plug...
"Protect Your WordPress Site: Beware Ongoing Attacks Exploiting Cookie Consent Plugin Vulnerability - Over 1.5M Sites Targeted! Stay vigilant as hackers are actively targeting an Unauthenticated Stored Cross-Site Scripting (XSS) vulnerability in the widely-used WordPress cookie consent plugin, Beautiful Cookie Consent Banner. With over 40,000 active installations, this exploit poses a significant risk. In an XSS attack, malicious JavaScript scripts are injected into vulnerable websites, compromising visitors' browsers and potentially leading to unauthorized access, session hijacking, malware infections, and even complete system compromise. The severity of the situation is further exacerbated by the fact that unpatched versions (up to and including 2.10.1) allow attackers to create unauthorized admin accounts on affected WordPress sites. Fortunately, the security flaw was patched in January with the release of version 2.10.2. However, attacks have been ongoing since February 5, 2023, with recent reports indicating a surge in activity against over 1.5 million sites, leading to nearly 3 million blocked attacks. While the current wave of attacks may not deploy a payload, it's crucial for admins and website owners using the Beautiful Cookie Consent Banner plugin to update to the latest version. Even unsuccessful attacks could corrupt the plugin's configuration, stored in the nsc_bar_bannersettings_json option. By updating to the patched versions, you can safeguard your site and ensure its resilience against potential future attacks. Don't let your website remain exposed, as threat actors have been actively probing vulnerable versions of other popular plugins as well. Stay proactive in protecting your WordPress site and prevent potential hijacking or unauthorized access by keeping your plugins up to date. Stay informed, stay secure!"
25-May-2023
2 min read
Secure Blink help Developers and Security Engineer to secure their Web Applications & APIs proactively using our cutting-edge heuristic approach.
