HiatusRAT Campaign Targets Web Cameras and DVRs: FBI Warns of Rising IoT Exploits

by do son · December 17, 2024

The FBI, in collaboration with CISA, has issued a new alert regarding the HiatusRAT malware campaign. The latest iteration of the campaign has shifted its focus to Internet of Things (IoT) devices, particularly Chinese-branded web cameras and DVR systems, posing a significant threat to organizations worldwide.

HiatusRAT, a Remote Access Trojan (RAT), has been actively employed by malicious actors since July 2022. Originally, the malware targeted outdated network edge devices to collect traffic and build covert command-and-control (C2) infrastructures. However, recent developments reveal that attackers are now scanning for vulnerabilities in web cameras and DVR systems, particularly from Xiongmai and Hikvision.

The FBI highlights: “In March 2024, HiatusRAT actors conducted a scanning campaign targeting IoT devices in the US, Australia, Canada, New Zealand, and the United Kingdom.”

The campaign exploits a range of well-known vulnerabilities, including:

CVE-2017-7921: Improper authentication in multiple Hikvision camera models, allowing privilege escalation.
CVE-2018-9995: DVR systems permitting attackers to bypass authentication using crafted headers.
CVE-2021-33044 and CVE-2021-36260: Command injection and identity bypass vulnerabilities in Dahua and Hikvision devices.

Attackers leverage tools like Ingram (a webcam-scanning utility from GitHub) and Medusa (an open-source brute-force tool) to identify vulnerable devices. The FBI notes: “Actors scanned web cameras and DVRs for vulnerabilities… and targeted Hikvision devices with telnet access.”

The targeted TCP ports include: 23, 26, 554, 2323, 567, 5523, 8080, 9530, 56575.

Web cameras and DVRs are attractive targets for attackers due to their:

Default or weak passwords: Many devices retain factory settings, providing easy access.
Outdated firmware: Vendors often fail to release or distribute timely patches.
Network visibility: Once compromised, these devices can serve as footholds for lateral movement within networks.

The FBI warns that compromised devices can be used for:

Reconnaissance: Gathering sensitive data or credentials.
Botnets: Creating C2 infrastructure for further attacks.
Malware Deployment: Serving as launch points for ransomware or espionage operations.

The FBI has issued a set of recommendations to mitigate the HiatusRAT threat, urging organizations and individuals to:

Patch and Update Devices: Apply the latest firmware updates from manufacturers. Replace unsupported devices.
Change Default Passwords: Enforce strong and unique passwords, avoiding factory defaults.
Network Segmentation: Isolate IoT devices from critical systems.
Disable Unnecessary Ports: Regularly scan and close unused or vulnerable ports.
Enable Multi-Factor Authentication (MFA): Protect administrative interfaces and accounts.
Monitor Traffic: Deploy security tools to detect abnormal activity, such as unexplained outbound connections.