FBI Warns of HiatusRAT Campaigns Targeting Web Cameras and DVRs

The FBI has issued a Private Industry Notification (PIN) highlighting an active cyber campaign involving HiatusRAT malware targeting Chinese-branded web cameras and DVRs. The advisory warns organizations about the vulnerabilities cyber actors are exploiting and urges immediate action to protect affected devices.

HiatusRAT, a Remote Access Trojan (RAT), has been in use since at least July 2022, with previous campaigns focusing on outdated network edge devices. The current wave, observed in March 2024, has expanded its focus to Internet of Things (IoT) devices in the United States, Australia, Canada, New Zealand, and the United Kingdom. Specifically, the malware targets vulnerabilities in Xiongmai and Hikvision devices with Telnet access.

The FBI's report highlights several known vulnerabilities (CVEs) being exploited, including:

• CVE-2017-7921: Improper authentication in multiple Hikvision camera models, allowing privilege escalation.
• CVE-2018-9995: DVR systems bypass authentication via malicious requests.
• CVE-2020-25078: Remote password disclosure on D-Link devices.
• CVE-2021-33044: Authentication bypass in Dahua devices.
• CVE-2021-36260: Command injection vulnerabilities in Hikvision products.

The malicious actors are leveraging Ingram, a webcam-scanning tool available on GitHub, to locate vulnerable systems and Medusa, an open-source brute-force tool, to crack authentication credentials. Targeted TCP ports include 23, 26, 2323, 554, 567, and more.

Broader implications and defense recommendations

The HiatusRAT malware has demonstrated significant capabilities in past campaigns, including reconnaissance against critical infrastructure. In earlier cases, Taiwan-based organizations and a U.S. government server handling defense contract proposals were among its targets. These attacks indicate that the actors behind HiatusRAT are well-resourced and methodical, focusing on devices often overlooked in cybersecurity protocols.

To defend against these threats, the FBI recommends the following:

• Patch and update systems as soon as updates are available, and replace unsupported devices.
• Change default and weak passwords, enforce strong password policies, and enable multi-factor authentication.
• Isolate vulnerable devices from critical networks and employ network segmentation.
• Scan for open ports, monitor network activity for anomalies, and establish baselines for legitimate traffic.
• Implement security tools that log network activity and detect abnormal behavior.
• Conduct regular virus and malware scans and maintain offline backups for critical data.

Users and organizations are encouraged to report any suspected compromise to their local FBI field office or the Internet Crime Complaint Center at IC3.gov.