The FBI has issued a warning about new HiatusRAT malware attacks that are actively scanning for and compromising vulnerable web cameras and DVRs that are exposed to the internet.
A private industry notification released on Monday outlines how attackers are specifically targeting Chinese-branded devices that either lack important security patches or have been abandoned due to reaching their end of life.
According to the FBI, “In March 2024, HiatusRAT operators launched a scanning campaign aimed at Internet of Things (IoT) devices across the US, Australia, Canada, New Zealand, and the United Kingdom.” They are exploiting vulnerabilities identified as CVE-2017-7921, CVE-2018-9995, CVE-2020-25078, CVE-2021-33044, CVE-2021-36260, along with weak passwords that are commonly supplied by manufacturers.
These malicious actors are primarily focusing on Hikvision and Xiongmai devices, utilizing tools like Ingram, an open-source vulnerability scanning tool for web cameras, and Medusa, an open-source brute-force authentication tool.
Their operations have involved targeting web cameras and DVRs that have specific TCP ports (23, 26, 554, 2323, 567, 5523, 8080, 9530, and 56575) open to internet access.
The FBI recommends that network defenders minimize the use of the devices mentioned in their notification and/or segregate them from their wider networks to prevent any potential breaches or movements within systems following successful HiatusRAT infections. System administrators and cybersecurity personnel are also encouraged to report any signs of compromise to the FBI’s Internet Crime Complaint Center or their local FBI office.
This current wave of attacks follows previous incidents, including one where adversaries targeted a Defense Department server in a reconnaissance effort and another campaign that similarly affected over a hundred businesses in North America, Europe, and South America, infecting DrayTek Vigor VPN routers with HiatusRAT to create a hidden proxy network.
Lumen, the cybersecurity firm that initially detected HiatusRAT, reports that this malware is designed primarily to deliver additional payloads on compromised devices, effectively turning them into SOCKS5 proxies for command-and-control communication.
HiatusRAT’s change in focus toward specific targets and information-gathering tactics appears to align with the strategic goals of Chinese interests, as noted in the Office of the Director of National Intelligence’s 2023 annual threat assessment.
Article has been taken from bleepingcomputer.com: https://www.bleepingcomputer.com/news/security/fbi-spots-hiatusrat-malware-attacks-targeting-web-cameras-dvrs/
