FBI Warns Of HiatusRAT Malware Targeting Web Cams & Other IoT Devices

  • ,
  • FBI Warns Of HiatusRAT Malware Targeting Web Cams & Other IoT Devices
FBI Private Industry Notification

FBI Warns Of HiatusRAT Malware Targeting Web Cams & Other IoT Devices

FBI Warns Of Hiatus RAT Malware Targeting Web Cams & Other IoT Devices

The U.S. Federal Bureau of Investigation (FBI) has issued a Private Industry Notification (PIN), warning organizations about a surge in HiatusRAT malware attacks targeting Chinese-branded web cameras and digital video recorders (DVRs).

HiatusRAT, a Remote Access Trojan (RAT), has likely been in use since July 2022. The FBI described RATs as tools used by malicious cyber actors to remotely control compromised devices.

The initial Hiatus campaign primarily focused on outdated network edge devices. Recent observations indicate that the malware has also been employed to target various Taiwan-based organizations and conduct reconnaissance on a U.S. government server involved in defense contract submissions and retrievals.

First detected in March 2024, the latest scanning campaign exploited vulnerabilities in Internet of Things (IoT) devices, specifically web cameras and DVRs, across the United States, Australia, Canada, New Zealand, and the United Kingdom.

According to the FBI, the threat actors scanned for vulnerabilities in web cameras and DVRs, including CVE-2017-7921, CVE-2018-9995, CVE-2020-25078, CVE-2021-33044, and CVE-2021-36260. They also exploited weak vendor-supplied passwords. Many of these vulnerabilities remain unpatched by vendors.

Chinese-branded products, such as Hikvision and Xiongmai devices with telnet access, were particularly targeted. The attackers leveraged outdated or unpatched systems to carry out their operations.

The scanning was conducted using tools like Ingram, an open-source scanner for web camera vulnerabilities, and Medusa, an open-source brute-force authentication tool, specifically targeting Hikvision cameras with telnet access.

The malware focused its efforts on IoT devices exposing TCP ports such as 23, 26, 554, 2323, 567, 5523, 8080, 9530, and 56575. Once infiltrated, the compromised devices were converted into SOCKS5 proxies, enabling covert communication with command-and-control servers and facilitating further malware deployment.

In response to these attacks, the FBI has strongly recommended that network administrators limit the use of vulnerable devices listed in the PIN by isolating or replacing them. These measures aim to mitigate the risk of network breaches and lateral movement by threat actors.

Additionally, the agency has urged system administrators and cybersecurity professionals to monitor for indicators of compromise (IOCs) and report any suspicious activity to the FBI’s Internet Crime Complaint Center or their local field offices.

Share this post

Related Posts

Dramacool Shuts Down; 3 Best Alternatives
Dramacool Shuts Down; 3 Best Alternatives

Dramacool Shuts Down; 3 Best Alternatives Dramacool, a popular platform for streaming Asian dramas and movies, has recently shut down, [...]