FBI Issues Warning About HiatusRAT Malware Attacks on Web Cameras and DVRs

December 16, 2024

The FBI has issued a warning about a new wave of HiatusRAT malware attacks that are specifically targeting vulnerable web cameras and DVRs that are exposed online. The malware is primarily attacking Chinese-branded devices that are either pending security patches or have already reached their end of life.

In a private industry notification (PIN) released on Monday, the FBI detailed that the threat actors are focusing on IoT devices in the US, Australia, Canada, New Zealand, and the UK. The actors are scanning web cameras and DVRs for vulnerabilities including CVE-2017-7921, CVE-2018-9995, CVE-2020-25078, CVE-2021-33044, CVE-2021-36260, and weak vendor-supplied passwords.

The threat actors predominantly target Hikvision and Xiongmai devices with telnet access using Ingram, an open-source web camera vulnerability scanning tool, and Medusa, an open-source authentication brute-force tool. The attacks are targeting web cameras and DVRs with the 23, 26, 554, 2323, 567, 5523, 8080, 9530, and 56575 TCP ports exposed to the internet.

The FBI is advising network defenders to limit the use of the devices mentioned in the PIN and/or isolate them from the rest of their networks to prevent breach and lateral movement attempts following successful HiatusRAT malware attacks. The FBI is also urging system administrators and cybersecurity professionals to report suspected indications of compromise (IOC) to the FBI's Internet Crime Complaint Center or their local FBI field office.

This campaign follows two other series of attacks: one that also targeted a Defense Department server in a reconnaissance attack and an earlier wave of attacks in which more than a hundred businesses from North America, Europe, and South America had their DrayTek Vigor VPN routers infected with HiatusRAT to create a covert proxy network.

Lumen, the cybersecurity company that first identified HiatusRAT, stated that this malware is primarily used to deploy additional payloads on infected devices, converting the compromised systems into SOCKS5 proxies for command-and-control server communication. The shift in HiatusRAT's targeting preference and information gathering aligns with Chinese strategic interests, a connection also underscored in the Office of the Director of National Intelligence's 2023 annual threat assessment.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.