The recent warning issued by the FBI regarding the increased threat of HiatusRAT malware targeting webcams and Digital Video Recorders (DVRs) has raised concerns among users about the security of their devices. The malicious actors behind the HiatusRAT malware are actively searching for vulnerable webcams and DVRs that are accessible online in order to infect them and potentially gain unauthorized access to computers.
According to a Private Industry Notification (PIN) released on December 16, the attackers are focusing their efforts on devices manufactured by Chinese companies that may have security vulnerabilities due to outdated security patches or reached the end of their lifespan. This poses a significant risk to users who rely on these devices for various purposes.
The threat actors conducted a wide-ranging scanning campaign in March 2024 targeting Internet of Things (IoT) devices in countries such as the USA, Australia, Canada, New Zealand, and the United Kingdom. They scanned webcams and DVRs for vulnerabilities such as CVE-2017-7921, CVE-2018-9995, CVE-2020-25078, CVE-2021-33044, CVE-2021-36260, and weak default passwords set by manufacturers.
Devices from Hikvision and Xiongmai were particularly targeted due to their Telnet access capabilities. The attackers utilized open-source tools like Ingram and Medusa to identify vulnerabilities in webcams and bypass authentication protocols, focusing on TCP ports 23, 26, 554, 2323, 567, 5523, 8080, 9530, and 56575 that are open for internet access.
This campaign follows previous large-scale attacks, including one targeting a server of the US Department of Defense in 2023 and infecting over a hundred companies in North America, Europe, and South America with HiatusRAT through DrayTek Vigor VPN routers to establish a covert proxy network.
To mitigate the risks associated with HiatusRAT malware attacks, the FBI advises users to restrict the use of the mentioned devices or isolate them from the rest of their network. This preventive measure can prevent intrusion and malware propagation attempts following successful HiatusRAT attacks. System administrators and cybersecurity experts are urged to report any suspected signs of compromise to the FBI’s Internet Crime Complaint Center or their local FBI field offices.
Lumen, a US-based cybersecurity company, first discovered HiatusRAT in the summer of 2023 and identified it as malware that installs additional malicious software on infected devices to convert them into SOCKS5 proxies for communication with Command-and-Control servers. The malware’s objectives align with China’s strategic interests in cyber espionage and data theft, as highlighted in the Threat Assessment report of the United States Intelligence Community (IC) in 2023.
In conclusion, the increasing threat of HiatusRAT malware targeting webcams and DVRs underscores the importance of maintaining cybersecurity hygiene and being vigilant against potential cyber threats in today’s interconnected digital world. Users and organizations must prioritize security measures to protect their devices and networks from malicious actors seeking to exploit vulnerabilities for illicit purposes.