FBI spots HiatusRAT malware attacks targeting web cameras, DVRs

The FBI warned today that new HiatusRAT malware attacks are now scanning for and infecting vulnerable web cameras and DVRs that are exposed online.

As a private industry notification (PIN) published on Monday explains, the attackers focus their attacks on Chinese-branded devices that are still waiting for security patches or have already reached the end of life.

"In March 2024, HiatusRAT actors conducted a scanning campaign targeting Internet of Things (IoT) devices in the US, Australia, Canada, New Zealand, and the United Kingdom," the FBI said. "The actors scanned web cameras and DVRs for vulnerabilities including CVE-2017-7921, CVE-2018-9995, CVE-2020-25078, CVE-2021-33044, CVE-2021-36260, and weak vendor-supplied passwords."

The threat actors predominantly target Hikvision and Xiongmai devices with telnet access using Ingram, an open-source web camera vulnerability scanning tool, and Medusa, an open-source authentication brute-force tool.

Their attacks targeted web cameras and DVRs with the 23, 26, 554, 2323, 567, 5523, 8080, 9530, and 56575 TCP ports exposed to Internet access.

The FBI advised network defenders to limit the use of the devices mentioned in today's PIN and/or isolate them from the rest of their networks to block breach and lateral movement attempts following successful HiatusRAT malware attacks. It also urged system administrators and cybersecurity professionals to send suspected indications of compromise (IOC) to the FBI's Internet Crime Complaint Center or their local FBI field office.

​This campaign follows two other series of attacks: one that also targeted a Defense Department server in a reconnaissance attack and an earlier wave of attacks in which more than a hundred businesses from North America, Europe, and South America had their DrayTek Vigor VPN routers infected with HiatusRAT to create a covert proxy network.

Lumen, the cybersecurity company that first spotted HiatusRAT, said this malware is mainly used to deploy additional payloads on infected devices, converting the compromised systems into SOCKS5 proxies for command-and-control server communication.

HiatusRAT's shift in targeting preference and information gathering aligns with Chinese strategic interests, a link also highlighted in the Office of the Director of National Intelligence's 2023 annual threat assessment.