The Federal Bureau of Investigation (FBI) has issued a Private Industry Notification (PIN) alerting cybersecurity professionals and system administrators about a new threat targeting web cameras and digital video recorders (DVRs).
The malware, known as HiatusRAT, is actively scanning for vulnerabilities in these devices, particularly those of Chinese origin.
HiatusRAT, a Remote Access Trojan (RAT), has been in operation since July 2022. This sophisticated malware allows cybercriminals to take control of targeted devices remotely.
Initially focused on outdated network edge devices, the Hiatus campaign has expanded its scope to include a range of organizations in Taiwan and even reconnaissance against a U.S. government server used for defense contract proposals.
Free Webinar on Best Practices for API vulnerability & Penetration Testing: Free Registration
HiatusRAT Attacking Web Cameras & DVRs
In March 2024, HiatusRAT actors launched a widespread scanning campaign targeting Internet of Things (IoT) devices across the United States, Australia, Canada, New Zealand, and the United Kingdom.
The attackers are specifically looking for vulnerabilities in web cameras and DVRs, including several critical security flaws that manufacturers have not yet patched.
The FBI notification highlights that the cybercriminals are particularly interested in Xiongmai and Hikvision devices with telnet access.
They employ various tools in their attacks, including Ingram, a webcam-scanning tool available on GitHub, and Medusa, an open-source brute-force authentication cracking tool.
Several vulnerabilities are being exploited by the HiatusRAT actors, including:
- CVE-2017-7921: An improper authentication vulnerability affecting various Hikvision camera models.
- CVE-2018-9995: A flaw in multiple DVR brands allowing remote attackers to bypass authentication.
- CVE-2020-25078: A vulnerability in certain D-Link camera models enabling remote administrator password disclosure.
- CVE-2021-33044: An identity authentication bypass vulnerability in some Dahua products.
- CVE-2021-36260: A command injection vulnerability in the web server of some Hikvision products.
The FBI strongly recommends that organizations limit the use of affected devices or isolate them from the rest of their network. Additionally, the bureau advises implementing best cybersecurity practices, including:
- Regular patching and updating of operating systems, software, and firmware
- Changing network system and account passwords frequently
- Enforcing strong password policies and multi-factor authentication
- Implementing security monitoring tools to detect abnormal network activity
- Capturing and auditing remote access logs
- Implementing application whitelisting policies
- Regularly auditing administrative user accounts
- Creating offline backups for critical assets
- Implementing network segmentation where possible
The FBI encourages organizations to report any suspected indications of compromise to their local FBI field office or the Internet Crime Complaint Center.
As cyber threats continue to evolve, staying vigilant and implementing robust security measures remains crucial for protecting sensitive information and maintaining the integrity of network infrastructure.
Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free