FBI Issues Warning on HiatusRAT Malware Targeting Vulnerable Devices
The FBI has issued a cautionary note regarding the emergence of HiatusRAT malware, which is now actively scanning for and compromising vulnerable web cameras and DVRs that are publicly accessible online. This alert, part of a private industry notification (PIN) released on Monday, outlines the specific focus of attackers on Chinese-branded devices that either await critical security updates or have reached their end of life.
According to the FBI, “In March 2024, HiatusRAT actors conducted a scanning campaign targeting Internet of Things (IoT) devices in the US, Australia, Canada, New Zealand, and the United Kingdom.” The attackers have been probing web cameras and DVRs for known vulnerabilities, including:
- CVE-2017-7921
- CVE-2018-9995
- CVE-2020-25078
- CVE-2021-33044
- CVE-2021-36260
Additionally, the attackers exploit weak vendor-supplied passwords to gain access. The primary targets of these campaigns are Hikvision and Xiongmai devices, which have telnet access. The attackers utilize tools such as Ingram, an open-source web camera vulnerability scanner, and Medusa, an open-source brute-force authentication tool, to carry out their operations.
Their efforts have been directed at devices with various TCP ports exposed to the internet, including 23, 26, 554, 2323, 567, 5523, 8080, 9530, and 56575. In light of these developments, the FBI has recommended that network defenders limit the use of the affected devices and consider isolating them from broader networks to prevent potential breaches and lateral movements following successful HiatusRAT attacks. Furthermore, system administrators and cybersecurity professionals are encouraged to report any suspected indicators of compromise (IOC) to the FBI’s Internet Crime Complaint Center or their local field office.
This recent campaign follows two previous series of attacks: one that targeted a Defense Department server in a reconnaissance effort and another wave that compromised over a hundred businesses across North America, Europe, and South America by infecting DrayTek Vigor VPN routers with HiatusRAT, effectively creating a covert proxy network.
Lumen, the cybersecurity firm that first identified HiatusRAT, noted that this malware is primarily designed to deploy additional payloads on infected devices, transforming compromised systems into SOCKS5 proxies for communication with command-and-control servers. The shift in HiatusRAT’s targeting strategy and information-gathering methods appears to align with broader Chinese strategic interests, a connection also underscored in the Office of the Director of National Intelligence’s 2023 annual threat assessment.
