HiatusRAT Malware Resurfaces: Taiwan Firms and U.S. Military Under Attack

Cyber Security Threat Summary:
“The threat actors behind the HiatusRAT malware have returned from their hiatus with a new wave of reconnaissance and targeting activity aimed at Taiwan-based organizations and a U.S. military procurement system. Besides recompiling malware samples for different architectures, the artifacts are said to have been hosted on new virtual private servers (VPSs), Lumen Black Lotus Labs said in a report published last week. The cybersecurity firm described the activity cluster as "brazen" and "one of the most audacious," indicating no signs of slowing down. The identity and the origin of the threat actors are presently unknown. Targets included commercial firms, such as semiconductor and chemical manufacturers, and at least one municipal government organization in Taiwan as well as a U.S. Department of Defense (DoD) server associated with submitting and retrieving proposals for defense contracts” (The Hacker News, 2023).

Security Officer Comments:
HiatusRAT was first documented by researchers in March 2023, after it was observed targeting business-grade routers located in Latin America and Europe. In the latest campaign observed from mid-June through August 2023, threat actors deployed pre-built HiatusRAT binaries specifically designed for Arm, Intel 80386, and x86-64 architectures, alongside MIPS, MIPS64, and i386. According to Black Lotus Labs, the servers hosting these binaries had over 91% of inbound connections stemmed from Taiwan, with the actors particularly targeting Ruckus-manufactured edge devices. Researchers also observed two IP addresses 207.246.80[.]240 and 45.63.70[.]57 used by the actors to make connections to a DOD server on June 13 for roughly two hours, which lead to 11 MB of data being transferred. At the moment, it is unclear what the motive behind the latest campaign is. However, researchers suspect adversaries may have been looking for publicly available information related to current and future military contracts for future targeting.

Suggested Correction(s):
Black Lotus Labs recommends the following to defend against potential attacks:

  • Comprehensive Secure Access Service Edge (SASE) or similar solutions that use VPN-based access to protect data and bolster their security posture.
  • Enable the latest cryptographic protocols to help protect data in transit, such as only using email service which rely upon SSL and TLS. Examples of more secure email services include secure simple mail transfer protocol (defined in RFC 2821 and using the feature which terminates if secure connections cannot be established), encrypted IMAP, and encrypted POP3 (defined in RFC 2595 which used ports 993 & 995).
Consumers with self-managed routers should follow best practices and regularly monitor, reboot, and install security updates and patches. End-of-life devices should be replaced with vendor-supported models to ensure patching against known vulnerabilities.