Analysis Summary

The FBI issued a warning that fresh HiatusRAT malware attacks are now looking for and infecting online-exposed webcams and DVRs. The attackers target Chinese-branded devices that are either past their end of life or still awaiting security fixes, according to a private industry notification (PIN) released on Monday.

Targeting Internet of Things (IoT) devices in the US, Australia, Canada, New Zealand, and the UK, HiatusRAT actors carried out a scanning campaign in March 2024. To find vulnerabilities such as CVE-2017-7921, CVE-2018-9995, CVE-2020-25078, CVE-2021-33044, CVE-2021-36260, and weak vendor-supplied passwords, the actors analyzed web cameras and DVRs. According to the FBI, the threat actors use Medusa, an open-source authentication brute-force tool, and Ingram, an open-source web camera vulnerability scanning tool, to primarily target Hikvision and Xiongmai devices with telnet access.

Webcams and DVRs with the 23, 26, 554, 2323, 567, 5523, 8080, 9530, and 56575 TCP ports open to the Internet were the targets of their attacks. To prevent breach and lateral movement efforts after successful HiatusRAT malware attacks, the FBI recommended network defenders restrict the use of the devices included in today's PIN and/or isolate them from the rest of their networks. Additionally, it encouraged cybersecurity experts and system administrators to report suspected indications of compromise (IOC) to their local FBI field office or the FBI's Internet Crime Complaint Center.

This campaign comes after two other attack waves: one that also included a reconnaissance attack against a Defense Department server and another in which HiatusRAT infected DrayTek Vigor VPN routers belonging to over a hundred companies in North America, Europe, and South America, establishing a secret proxy network.

HiatusRAT is primarily used to install extra payloads on infiltrated devices, turning the compromised systems into SOCKS5 proxies for communication with command-and-control servers. The Office of the Director of National Intelligence's 2023 annual threat assessment also noted that RAT's change in targeting preferences and information collecting is in line with Chinese strategic aims.

Impact

• Unauthorized Access
• Sensitive Data Theft

Remediation

• Implement robust multi-layered security measures to detect and respond to suspicious activities.
• Conduct regular security assessments and penetration testing to identify and mitigate vulnerabilities in critical infrastructure and government systems.
• Deploy advanced threat detection tools, such as Endpoint Detection and Response (EDR) and Network Traffic Analysis (NTA), to monitor for suspicious activities and anomalies.
• Ensure timely patching and updating of all software and systems to close known security gaps.
• Use multi-factor authentication (MFA) and strong password policies to protect user accounts from unauthorized access.
• Segment networks to limit lateral movement within the organization in case of a breach.
• Develop and maintain an incident response plan that includes procedures for malware attacks and data breaches.
• Train employees on cybersecurity best practices and phishing awareness to reduce the risk of social engineering attacks.
• Regularly back up critical data and ensure backups are stored securely and are not accessible from the primary network.
• Collaborate with cybersecurity firms and government agencies for threat intelligence sharing and coordinated defense strategies.
• Implement encryption for sensitive data at rest and in transit to protect against data theft.
• Limit access to critical systems and data to only those individuals who require it for their role.
• Monitor for and immediately investigate the presence of known malware and indicators of compromise associated with state-sponsored groups.
• Engage in regular cybersecurity drills and exercises to ensure readiness for potential cyber incidents.
• Ensure legal and compliance measures are in place, particularly for industries subject to specific regulatory requirements.