FBI Spots HiatusRAT Malware Attacks Targeting Web Cameras, DVRs
Summary:
On Monday, the FBI released an advisory warning of a new HiatusRAT malware campaign that is actively scanning for and infecting vulnerable Chinese-branded web cameras and DVRs that are exposed online. The campaign which initiated in March 2024, has targeted IOTs devices in the US, Australia, Canada, New Zealand, and the United Kingdom, with the actors scanning web cameras and DVS for vulnerabilities and weak passwords.
“In particular, the actors targeted Xiongmai and Hikvision devices with telnet access. They used Ingram—a webcam-scanning tool available on Github—to conduct scanning activity. And they used Medusa—an open-source brute-force authentication cracking tool—to target Hikvision cameraswith telnet access. Targeted TCP ports have included: 23, 26, 554, 2323, 567, 5523, 8080, 9530,and 56575,” notes the FBI
The FBI provided a list of CVEs that the adversaries have leveraged to target vulnerable devices with HiatusRAT. These flaws (CVE-2017-7921, CVE-2018-9995, CVE-2020-25078, CVE-2021-33044, CVE-2021-36260) allow attackers to bypass authentication, escalate privileges, inject malicious commands, and access sensitive data. The FBI noted that most of these vulnerabilities remain unaddressed by the device vendors, and some of the affected devices are no longer supported with security updates, making mitigation efforts more difficult.
Security Officer Comments:
According to the FBI, HiatusRAT has been observed in attacks targeting a variety of Taiwan-based organizations, as well as conducting reconnaissance on a US government server used for submitting and retrieving defense contract proposals.
HiatusRAT is a remote access trojan that has been utilized in cyberattacks since July 2022. The use of such a trojan allows threat actors to gain remote control over compromised devices, enabling them to further deploy additional malicious payloads. By focusing on vulnerable webcams and DVRs, the actors are able to maintain persistent surveillance, facilitating ongoing reconnaissance and allowing them to closely monitor their targets of interest.
Suggested Corrections:
The FBI recommends isolating or limiting the use of vulnerable devices and implementing robust cybersecurity practices to mitigate the risks posed by malicious actors. Key recommendations include regularly updating software and firmware, changing passwords frequently, enforcing strong password policies, and using multi-factor authentication where possible. Organizations should also monitor network activity, capture and audit remote access logs, and implement application whitelisting and least privilege access controls. Additionally, network segmentation, offline backups for critical assets, and regular antivirus updates are crucial for strengthening security defenses. Regular audits and scans should be conducted to ensure the integrity of network systems and accounts.
Link(s):
https://www.ic3.gov/CSA/2024/241216.pdf
https://www.bleepingcomputer.com/ne...t-malware-attacks-targeting-web-cameras-dvrs/