FBI Issues Urgent Warning: HiatusRAT Malware Exploits Vulnerable Web Cameras and DVRs
The Federal Bureau of Investigation (FBI) has issued a stark warning regarding a surge in attacks leveraging the HiatusRAT malware. This malicious software is specifically targeting internet-connected web cameras and digital video recorders (DVRs), exploiting known vulnerabilities and weak passwords to gain unauthorized access.
HiatusRAT Malware: Technical Details and Targets
The FBI’s Private Industry Notification (PIN) details a concerning trend. Attackers are focusing their efforts on Chinese-branded devices, many of which are either awaiting critical security patches or have reached their end-of-life, leaving them vulnerable to exploitation. The PIN specifically mentions vulnerabilities such as CVE-2017-7921, CVE-2018-9995, CVE-2020-25078, CVE-2021-33044, and CVE-2021-36260.
The attackers are employing readily available tools to facilitate their malicious activities. These include Ingram, an open-source web camera vulnerability scanner, and Medusa, an open-source tool used for brute-forcing authentication credentials. The targeted devices frequently have TCP ports 23, 26, 554, 2323, 567, 5523, 8080, 9530, and 56575 exposed to the internet. Hikvision and Xiongmai devices with telnet access are particularly vulnerable.
“In March 2024, HiatusRAT actors conducted a scanning campaign targeting Internet of Things (IoT) devices in the US, Australia, Canada, New Zealand, and the United Kingdom,” the FBI stated. The agency highlights the use of telnet access as a critical vulnerability.
The Scope of the HiatusRAT Malware Threat
This recent campaign is not an isolated incident. Previous HiatusRAT attacks have targeted a Defense Department server in a reconnaissance attack and compromised hundreds of businesses across North America, Europe, and South America. In those instances, DrayTek Vigor VPN routers were infected to create a covert proxy network.
Cybersecurity firm Lumen, which initially discovered HiatusRAT, explains that the malware’s primary function is to deploy additional payloads onto infected devices. This transforms the compromised systems into SOCKS5 proxies, facilitating communication with command-and-control servers. The shift in targeting and information gathering by HiatusRAT aligns with Chinese strategic interests, a connection also noted in the Office of the Director of National Intelligence’s 2023 annual threat assessment.
Mitigating the Risk of HiatusRAT Malware Infections
The FBI advises network defenders to take immediate action to mitigate the risk of HiatusRAT infections. This includes limiting the use of vulnerable devices or isolating them from the network to prevent breaches and lateral movement. System administrators and cybersecurity professionals are urged to report any suspected indicators of compromise (IOCs) to the FBI’s Internet Crime Complaint Center or their local FBI field office. The timely reporting of IOCs is crucial for effective threat response and prevention efforts. The FBI’s proactive approach underscores the severity of this ongoing threat.
Staying Ahead of the HiatusRAT Malware Threat
The ongoing HiatusRAT malware attacks highlight the persistent threat posed by malicious actors targeting vulnerable IoT devices. The FBI’s warning serves as a crucial reminder of the importance of proactive security measures, including regular patching, strong password policies, and network segmentation to protect against this and other sophisticated threats. The timely response and cooperation between cybersecurity firms and law enforcement agencies are vital in combating the evolving landscape of cybercrime. Staying informed and implementing robust security practices are essential for mitigating the risk of HiatusRAT and similar malware infections. The threat of HiatusRAT malware is real and requires immediate attention from both individuals and organizations.
