Medusa

The FBI has issued a warning about HiatusRAT malware that targets vulnerable web cameras and DVRs, particularly focusing on Chinese-branded devices lacking security updates. In March 2024, HiatusRAT actors conducted a scanning campaign against Internet of Things (IoT) devices in the US, Australia, Canada, New Zealand, and the UK. They exploit known vulnerabilities, including CVE-2017-7921, CVE-2018-9995, CVE-2020-25078, CVE-2021-33044, and CVE-2021-36260, as well as weak vendor-supplied passwords. Primary targets include Hikvision and Xiongmai devices with telnet access. Attackers use tools like Ingram and Medusa to exploit devices with exposed TCP ports such as 23, 26, 554, 2323, 567, 5523, 8080, 9530, and 56575. The FBI recommends limiting the use of affected devices and isolating them from broader networks. Previous attacks linked to HiatusRAT include targeting a Defense Department server and compromising businesses through DrayTek Vigor VPN routers. Lumen, a cybersecurity firm, noted that HiatusRAT is designed to deploy additional payloads and turn compromised systems into SOCKS5 proxies. The targeting strategy aligns with broader Chinese strategic interests as highlighted in the 2023 annual threat assessment by the Office of the Director of National Intelligence.