The US Federal Bureau of Investigation (FBI) issued a warning about a surge in HiatusRAT malware attacks that are actively scanning for and infecting vulnerable web cameras and DVRs exposed online. The attacks mainly focus on Chinese-branded devices that are either awaiting critical security patches or have reached end-of-life status.
In March 2024, HiatusRAT actors conducted a scanning campaign targeting Internet of Things (IoT) devices in the US, Australia, Canada, New Zealand, and the United Kingdom, according to the FBI. The threat actors scanned web cameras and DVRs for a range of vulnerabilities, including CVE-2017-7921, CVE-2018-9995, CVE-2021-33044, CVE-2021-36260, and weak vendor-supplied passwords.
HiatusRAT is a Remote Access Trojan (RAT), which has been in active use since at least July 2022. RATs allow malicious cyber actors to remotely control targeted devices, facilitating data theft, surveillance, and other malicious activities. The HiatusRAT campaign initially focused on outdated network edge devices.
Recent analysis revealed that the malware has also been deployed to target Taiwan-based organizations and conduct reconnaissance against a US government server used for submitting and retrieving defense contract proposals.
The latest wave of attacks exploits vulnerabilities in IoT devices, particularly Xiongmai and Hikvision-branded web cameras and DVRs. Many of these devices remain unpatched, leaving them exposed to exploitation. The FBI noted that the attackers leveraged tools such as
an open-source webcam scanning tool called Ingram and Medusa, a brute-force authentication tool used to crack weak telnet access passwords.
Targeted TCP ports included 23, 26, 554, 2323, 567, 5523, 8080, 9530, and 56575.
To mitigate the risk, the FBI recommends that organizations implement immediate steps to secure their devices and networks, including patching and updating the systems, strengthening and regularly changing passwords, limiting the use of vulnerable devices and isolating them from the rest of the network, and regularly monitoring network activity.