The FBI, in collaboration with CISA, has issued a new alert regarding the HiatusRAT malware campaign. The latest iteration of the campaign has shifted its focus to Internet of Things (IoT) devices, particularly Chinese-branded web cameras and DVR systems, posing a significant threat to organizations worldwide.
HiatusRAT, a Remote Access Trojan (RAT), has been actively employed by malicious actors since July 2022. Originally, the malware targeted outdated network edge devices to collect traffic and build covert command-and-control (C2) infrastructures. However, recent developments reveal that attackers are now scanning for vulnerabilities in web cameras and DVR systems, particularly from Xiongmai and Hikvision.
The FBI highlights: “In March 2024, HiatusRAT actors conducted a scanning campaign targeting IoT devices in the US, Australia, Canada, New Zealand, and the United Kingdom.”
The campaign exploits a range of well-known vulnerabilities, including:
- CVE-2017-7921: Improper authentication in multiple Hikvision camera models, allowing privilege escalation.
- CVE-2018-9995: DVR systems permitting attackers to bypass authentication using crafted headers.
- CVE-2021-33044 and CVE-2021-36260: Command injection and identity bypass vulnerabilities in Dahua and Hikvision devices.
Attackers leverage tools like Ingram (a webcam-scanning utility from GitHub) and Medusa (an open-source brute-force tool) to identify vulnerable devices. The FBI notes: “Actors scanned web cameras and DVRs for vulnerabilities… and targeted Hikvision devices with telnet access.”
The targeted TCP ports include: 23, 26, 554, 2323, 567, 5523, 8080, 9530, 56575.
Web cameras and DVRs are attractive targets for attackers due to their:
- Default or weak passwords: Many devices retain factory settings, providing easy access.
- Outdated firmware: Vendors often fail to release or distribute timely patches.
- Network visibility: Once compromised, these devices can serve as footholds for lateral movement within networks.
The FBI warns that compromised devices can be used for:
- Reconnaissance: Gathering sensitive data or credentials.
- Botnets: Creating C2 infrastructure for further attacks.
- Malware Deployment: Serving as launch points for ransomware or espionage operations.
The FBI has issued a set of recommendations to mitigate the HiatusRAT threat, urging organizations and individuals to:
- Patch and Update Devices: Apply the latest firmware updates from manufacturers. Replace unsupported devices.
- Change Default Passwords: Enforce strong and unique passwords, avoiding factory defaults.
- Network Segmentation: Isolate IoT devices from critical systems.
- Disable Unnecessary Ports: Regularly scan and close unused or vulnerable ports.
- Enable Multi-Factor Authentication (MFA): Protect administrative interfaces and accounts.
- Monitor Traffic: Deploy security tools to detect abnormal activity, such as unexplained outbound connections.
Related Posts:
- New Cuttlefish Malware Evades Detection, Targets SOHO Routers
- CVE-2024-7339: DVR Vulnerability Exposes Over 400,000 Devices to Hackers
- Hikvision Patches Security Flaw in Network Cameras, Preventing Cleartext Credential Transmission
- Hackers use real FBI email system to send fake cybersecurity warnings
