Sign up now to our Threat intelligence Newsletter and be the first to know about threats first in your inbox.
Vice Society's new data exfiltration tool uses PowerShell to automate data theft from compromised networks. Learn about its features and evasive tactics...
Emby, a renowned media server platform, recently responded swiftly to an outbreak of hacks targeting a subset of user-hosted media server instances. The compromise was achieved by exploiting a known vulnerability combined with insecure admin account configurations. To safeguard users, Emby remotely shut down the affected servers as a precautionary measure. ## Detection and Response to Malicious Plugin Installation Upon detecting a malicious plugin within the compromised systems, Emby promptly took action. The company informed users of the affected servers through log file entries, emphasizing that the shutdown was implemented to mitigate potential risks to their safety. ## Exploitation and Proxy Header Vulnerability The series of attacks began in mid-May 2023, when threat actors specifically targeted Emby servers exposed to the Internet. These servers were further exploited due to insecure admin login configurations, allowing unauthorized access without the need for a password on the local network. To bypass the login restrictions imposed by the LAN, the attackers leveraged a flaw referred to as the "proxy header vulnerability." Emby had already acknowledged this vulnerability since February 2020 and subsequently addressed it in recent patches available in the beta channel. ## Installation of a Malicious Plugin and Emby's Mitigation Measures Upon gaining unauthorized access, the threat actors proceeded to install a malicious plugin on the compromised Emby instances. This plugin was designed to harvest the credentials of unsuspecting users signing into the compromised servers. Emby's response involved a careful analysis and evaluation of mitigation strategies. Consequently, the Emby team promptly developed and deployed an update to Emby Server instances. This update effectively detects and prevents the loading of the malicious plugin, thereby neutralizing its impact. ## Precautionary Shutdown for Disabling the Malicious Plugin In light of the severity and nature of the situation, Emby opted to shut down the affected servers as a precautionary measure. This strategic decision was intended to disable the malicious plugin and prevent any immediate escalation of the compromised environment. It also served to draw the attention of server administrators to address the issue promptly and directly. ## Recommendations for Server Administrators To effectively counter the threat and restore server functionality, Emby advises administrators to take the following steps: 1. **Removal of Malicious Files**: Administrators must delete the malicious "helper.dll" or "EmbyHelper.dll" files from the plugins folder in the Emby Server Data Folder, as well as from the cache and data subfolders. 2. **Blocking Access to Malware**: Adding a new entry, such as "emmm.spxaebjhxtmddsri.xyz 127.0.0.1," to the hosts file will block the malware's access to the attackers' server. 3. **Server Review**: Administrators should thoroughly review compromised servers for any recent changes, including suspicious user accounts, unknown processes, unknown network connections and open ports, SSH configurations, and firewall rules. It is also advisable to change all passwords to enhance security measures. ## Emby's Security Update and Ongoing Investigations Emby is committed to promptly addressing the issue and plans to release a security update, Emby Server 4.7.12, to rectify the vulnerability and reinforce the platform's defenses against similar threats. While Emby has not disclosed the exact number of impacted servers, a recent community post by Emby developer softworkz hinted at the successful takedown of a botnet composed of approximately 1,200 hacked Emby Servers. Further details are expected to be released soon. Emby remains dedicated to maintaining a secure and reliable media server platform and encourages users to stay vigilant as more information becomes available.
ABB, a Swiss-based multinational technology corporation and contractor for the United States government, has officially confirmed that it experienced a ransomware attack earlier this month that impacted certain systems. Although recognized for its proficiency in industrial control systems (ICS) and supervisory control and data acquisition (SCADA) systems, ABB experienced a security breach caused by an unauthorized third-party who infiltrated specific ABB systems and executed a ransomware program that could not spread itself. ## Breach Detection & Impact Assessment Implementing robust cybersecurity protocols by ABB facilitated the expeditious detection of the data breach, which triggered a thorough investigation into the matter. Initial results suggest that the perpetrators extracted particular information from the infiltrated devices. Currently, there is no empirical data indicating any immediate effect on client systems. ABB will notify the impacted parties if their data has been breached, showcasing the organization's dedication to transparency and preemptive correspondence with its stakeholders. ABB endeavors to uphold the confidence of its clientele, vendors, and persons whose personally identifiable information may have been compromised. ## Ransomware Attack Containment and Restoration ABB quickly controlled the recent [data breach](https://cyberplace.social/@GossiTheDog/110435348263242869), allowing critical services and systems to return to regular operation. Additionally, the company has implemented additional security measures to fix its network and prevent future attacks. By working closely with advisors and law enforcement, ABB aims to minimize the impact of this ransomware attack and prevent any potential recurrence. ## Threat Landscape: Black Basta Ransomware The Black Basta ransomware operators were identified as the source of the [ransomware attack on ABB](https://bit.ly/42Tp2Vc) on May 7th. Although ABB did not explicitly reveal the attackers' identity, external sources have verified the participation of the [Black Basta ransomware](https://bit.ly/38NlpJG) group. In April 2022, a Ransomware-as-a-Service (RaaS) entity known as Black Basta surfaced and promptly initiated double-extortion attacks on multiple corporate targets. The aforementioned ransomware syndicate has garnered infamy within the cybersecurity domain and has been associated with the monetarily incentivized cyber syndicate FIN7, otherwise referred to as Carbanak. The ABB cyber assault was aimed at the organization's Windows Active Directory, resulting in the compromise of numerous Windows-based systems. ABB took swift action following the security breach by immediately discontinuing VPN connections with its clients, thereby thwarting the unauthorized access of threat actors to other networks and the possibility of exacerbating the cyberattack. ## ABB's Commitment to Cybersecurity With $29.4 billion in revenue in 2022 and approximately 105,000 employees, ABB maintains a prominent position in the technology industry. The company's commitment to creating dependable industrial control systems (ICS) and SCADA systems has [attracted high-profile clients](https://new.abb.com/docs/librariesprovider15/campaigns/abb_federal-government-brochure-2022.pdf?sfvrsn=7fbc309_2) worldwide, including the U.S. Department of Defense and federal civilian agencies. ABB's proactive approach to cybersecurity includes improving its security posture continuously, collaborating with advisors and law enforcement, and implementing stringent measures to safeguard critical systems. By doing so, ABB strives to maintain the integrity of its operations and the trust of its customers, suppliers, and partners.
Threat landscape continues to evolve, with attackers employing increasingly sophisticated techniques to target sensitive information & compromise security systems. Recent reports have highlighted the emergence of phishing attacks utilizing encrypted RPMSG attachments sent through compromised Microsoft 365 accounts. These attacks pose significant risks to email security gateways and the protection of Microsoft credentials. This [Threatfeed](https://bit.ly/3Iwo62t) delves into the nature of these attacks, explores the characteristics of RPMSG files, and discusses strategies to detect, counter, and mitigate the associated risks. ## Understanding Encrypted RPMSG Attachments and Phishing Attacks Encrypted RPMSG files, short for restricted permission message files, are a file format utilized by Microsoft's Rights Management Services (RMS) to provide an extra layer of protection for sensitive information. These files allow authorized recipients to access and authenticate the content while ensuring its confidentiality. However, cybercriminals have now harnessed RPMSG attachments to deceive users and extract Microsoft credentials. Phishing attacks leveraging RPMSG attachments follow a common modus operandi. Attackers compromise Microsoft 365 accounts and use them to send phishing emails containing RPMSG files. The emails typically mimic trusted senders and employ social engineering techniques to lure recipients into opening malicious attachments. Once the recipient attempts to access the encrypted content, a fake login form is presented, which prompts the victim to enter their Microsoft account credentials. The attackers then harvest this information for malicious purposes. ## Exploiting Email Security Gateways and Concealing Attacks One of the primary challenges with these phishing attacks is their ability to evade detection by traditional email security gateways. By encrypting the message within the RPMSG file, attackers effectively conceal the malicious intent of the email, making it difficult for security systems to identify and mitigate the risks effectively. Furthermore, the RPMSG files often contain embedded links or hyperlinks that redirect unsuspecting victims to seemingly legitimate websites, such as the Office 365 sign-in page or fake SharePoint documents, creating a false sense of trust and legitimacy. ![Protected Phishing Email.jpg](https://sb-cms.s3.ap-south-1.amazonaws.com/Protected_Phishing_Email_af83d179c7.jpg) ***Protected Phishing Mails*** Additionally, attackers employ techniques like Adobe's InDesign service, where a seemingly harmless document prompts users with a message such as _"Click here to Continue."_ Once clicked, the document redirects the victim to an empty page displaying the text _"Loading...Wait,"_ which is actually a delay tactic to execute a malicious script in the background. This script collects valuable system information, including visitor ID, connect token, hash, video card renderer information, system language, device memory, hardware concurrency, installed browser plugins, browser window details, and OS architecture. Armed with this information, the attacker can create a cloned Microsoft 365 login form hosted on their servers, further complicating the detection process. ## Detecting, Countering, & Mitigating the Threat As these attacks continue to evolve, it is crucial to adopt proactive measures to detect, counter, and mitigate their risks. Here are some recommended strategies: 1. **Enhanced Email Scanning Gateways**: Organizations should strengthen their email security gateways by utilizing advanced threat detection mechanisms capable of analyzing encrypted attachments and identifying suspicious RPMSG files. By leveraging machine learning algorithms and anomaly detection techniques, these gateways can flag and quarantine potentially malicious emails for further analysis and investigation. 2. **Multi-Factor Authentication (MFA)**: Implementing MFA adds an additional layer of protection to Microsoft accounts, making it significantly harder for attackers to gain unauthorized access even if credentials are compromised. Enforcing MFA across all user accounts within an organization can greatly reduce the likelihood of successful phishing attacks. 3. **User Awareness and Education**: Organizations should invest in comprehensive cybersecurity awareness training for their employees, educating them about the risks associated with phishing attacks, including the specific techniques employed by attackers using encrypted RPMSG attachments. By promoting a culture of vigilance and providing employees with the necessary knowledge and tools to identify and report suspicious emails, organizations can effectively mitigate the impact of these attacks. 4. **Regular Security Updates**: Staying up to date with the latest security patches and updates for Microsoft 365 is crucial in mitigating the risks associated with phishing attacks. Microsoft frequently releases security updates and patches to address vulnerabilities exploited by attackers. By promptly applying these updates, organizations can stay one step ahead in protecting their systems and data.