FBI Warns of HiatusRAT Malware Targeting Webcams and DVRs

****KEY SUMMARY POINTS****

• FBI Alert on HiatusRAT: The FBI issued a Private Industry Notification (PIN) warning about HiatusRAT malware campaigns targeting Chinese-branded web cameras and DVRs, leveraging remote access for device infiltration.

• Evolving Cyber Threat: HiatusRAT, active since 2022, has been used to exploit outdated network devices, Taiwanese organizations, and a US government server. Recent campaigns focus on webcams and DVRs across the US, Canada, the UK, Australia, and New Zealand.

• Exploitation of Vulnerabilities: Hackers are exploiting unpatched security flaws in devices like Hikvision and D-Link using tools like Ingram and Medusa, targeting TCP ports such as 23, 554, and 8080.

• Mitigation Efforts: The FBI recommends isolating vulnerable devices from networks, implementing multi-factor authentication, enforcing strong password policies, and promptly updating firmware and software.

• Collaborative Response: Sonu Shankar, a former federal critical infrastructure official, is collaborating with CISOs to address the escalating threat posed by these campaigns.

The FBI has issued a Private Industry Notification (PIN) to highlight new malware campaigns targeting Chinese-branded web cameras and DVRs. These attacks leverage a remote access trojan (RAT) called HiatusRAT, which grants remote access to compromised devices.

HiatusRAT has been evolving since at least July 2022, and cybercriminals have used it to infiltrate outdated network devices, Taiwanese organizations, and even a US government server. Previous HiatusRAT campaigns have targeted edge routers to collect traffic passively and function as a covert command-and-control network. In March 2024, HiatusRAT actors launched a large-scale scanning campaign focusing on webcams and DVRs in the US, Canada, UK, Australia, and New Zealand.

Hackers are exploiting security weaknesses in devices like Hikvision cameras and D-Link devices as many vendors haven’t addressed critical vulnerabilities like CVE-2017-7921 (Hikvision cameras), CVE-2020-25078 (D-Link devices), CVE-2018-9995, CVE-2021-33044, and CVE-2021-36260, among others.

They are exploiting unpatched flaws targeting devices with telnet access, an insecure remote access protocol, and even brute-forcing access. The actors targeted Xiongmai and Hikvision devices with telnet access using webcam-scanning tools Ingram and Medusa.

“They used Ingram—a webcam-scanning tool available on Github—to conduct scanning activity. And they used Medusa—an open-source brute-force authentication cracking tool—to target Hikvision cameras with telnet access,” the PIN (PDF) read. Targeted TCP ports included 23, 26, 554, 2323, 567, 5523, 8080, 9530, and 56575.

The FBI advises companies to limit the use of devices mentioned in the PIN and isolate them from their network. They should regularly monitor networks and employ best cybersecurity practices, including reviewing security policies, user agreements, and patching plans.

Furthermore, companies should patch and update operating systems, software, and firmware as soon as manufacturer updates are available change network system and account passwords regularly, enforce a strong password policy, and require multi-factor authentication whenever possible.

1. FBI: Chinese Hackers Compromised US Telecom Networks
2. Tech Support Courier Scam Aiming at Cash and Metals, FBI
3. FBI Alert: Russian Hackers Target Ubiquiti Routers for Botnet
4. FBI: Androxgh0st Malware Building Botnet for Credential Theft
5. FBI Targets 764 Network: Man Faces 30 Years for Cyberstalking