HiatusRAT Malware Scanning for Vulnerable Web Cameras and DVRs, FBI Warns

The US Federal Bureau of Investigation (FBI) issued a warning that HiatusRAT malware is actively scanning for and compromising vulnerable web cameras and digital video recorders (DVRs) connected to the internet.

Malicious campaign focuses on Chinese-branded IoT devices

Experts noticed that threat actors mainly focus on Chinese-branded IoT devices, exploiting known vulnerabilities or leveraging weak default passwords to breach systems.

In a private industry notification (PIN) yesterday, the FBI described the attackers’ modus operandi and their predilection towards devices from certain manufacturers.

The malicious campaign especially affects internet-connected devices that remain unpatched or have reached end-of-life status.

Scanning and exposing vulnerable devices

“In March 2024, HiatusRAT actors conducted a scanning campaign targeting Internet of Things (IoT) devices in the US, Australia, Canada, New Zealand, and the United Kingdom,” reads the FBI’s PIN. “They used Ingram—a webcam-scanning tool available on Github—to conduct scanning activity. And they used Medusa—an open-source brute-force authentication cracking tool—to target Hikvision cameras with telnet access. Targeted TCP ports have included: 23, 26, 554, 2323, 567, 5523, 8080, 9530, and 56575.”

According to the FBI, HiatusRAT operators exploited multiple vulnerabilities, including:

• CVE-2017-7921
• CVE-2018-9995
• CVE-2020-25078
• CVE-2021-33044
• CVE-2021-36260

Recommendations for network defenders

The FBI’s security advisory offers tips for network defenders to protect against the ongoing HiatusRAT threat, including:

• Limit or isolate vulnerable devices to prevent lateral movement across networks
• Prioritize patching vulnerable devices to address known vulnerabilities where possible
• Replace end-of-life IoT devices if possible, as they no longer receive security updates
• Monitor for signs of compromise and unusual traffic on the targeted TCP ports

The FBI also urged system administrators and cybersecurity professionals to report suspected breaches to the Internet Crime Complaint Center (IC3) or their local FBI field office.