The warning issued by the FBI regarding the Hiatus remote access trojan (RAT) malware targeting Chinese-branded web cameras and DVRs has raised concerns among cybersecurity experts and users alike. The specific targeting of Xiongmai and Hikvision devices with telnet access has prompted the Bureau to urge caution and proactive measures to prevent potential cyberattacks.
According to a Private Industry Notification, the FBI revealed that in March 2024, HiatusRAT actors launched a scanning campaign aimed at Internet of Things (IoT) devices in the US, Australia, Canada, New Zealand, and the UK. This latest iteration of HiatusRAT has been in use since 2022, with cybersecurity companies detecting these actors using the malware to target organizations based in Taiwan and conducting reconnaissance on a US government server utilized for defense contract proposals.
The actors behind the Hiatus campaign have exploited vulnerabilities in web cameras and DVRs, including CVE-2017-7921, CVE-2018-9995, CVE-2020-25078, CVE-2021-33044, and CVE-2021-36260, as well as leveraging weak passwords provided by vendors. Some of these vulnerabilities lack security updates, prompting the FBI to advise users to replace outdated systems with actively supported models.
In their malicious activities, the perpetrators have utilized tools such as Ingram, a webcam-scanning tool available on Github, and Medusa, an open-source brute-force authentication cracking tool, to target Hikvision cameras with telnet access. RATs, like HiatusRAT, are commonly used by cyber actors to take remote control of targeted devices, enabling them to carry out malicious activities without physical access.
The FBI emphasized that the Hiatus campaign originally focused on outdated network edge devices, highlighting the evolving tactics used by cybercriminals to exploit vulnerabilities in connected devices. As the proliferation of IoT devices introduces new security risks and vulnerabilities, organizations are advised to take proactive security measures to safeguard their networks and data.
To protect IoT devices from potential cyber threats, the FBI recommended the following security measures:
– Review or establish security policies, user agreements, and patching plans
– Patch and update operating systems, software, and firmware promptly
– Consider removing unsupported devices from the network
– Regularly change network system and account passwords
– Implement multifactor authentication (MFA) where possible
– Utilize security monitoring tools to log network traffic
– Automatically update antivirus and anti-malware solutions and conduct regular scans
– Create offline backups of critical assets
By implementing these proactive security measures, organizations can enhance their defenses against potential cyber threats and mitigate the risks associated with vulnerable IoT devices. As cybercriminals continue to target connected devices, being vigilant and proactive in addressing security vulnerabilities is crucial to safeguarding sensitive information and maintaining a secure network environment.