The Federal Bureau of Investigation (FBI) has raised the alarm about a resurgence of HiatusRAT malware, which is actively exploiting vulnerable web cameras and DVR devices exposed to the internet. The attackers are zeroing in on outdated or unpatched devices, predominantly targeting Chinese-branded equipment, in a coordinated wave of cyberattacks.
Exploiting Old Vulnerabilities in IoT Devices
In a Private Industry Notification (PIN) issued Monday, the FBI detailed the scope of the new malware campaign. HiatusRAT actors are scanning for vulnerabilities in Internet of Things (IoT) devices, particularly web cameras and digital video recorders (DVRs). Their targets include devices with unresolved security flaws or those that have reached their end-of-life stage.
The FBI pointed out several vulnerabilities being exploited:
- CVE-2017-7921
- CVE-2018-9995
- CVE-2020-25078
- CVE-2021-33044
- CVE-2021-36260
The attacks primarily affect Hikvision and Xiongmai devices. To breach systems, the attackers use open-source tools like Ingram, which scans for web camera vulnerabilities, and Medusa, a tool for brute-force authentication.
The malware focuses on devices exposing specific TCP ports, including 23, 26, 554, 2323, 567, 5523, 8080, 9530, and 56575. Once compromised, the devices serve as entry points for additional payloads, creating significant security risks.
FBI’s Recommendations to Network Defenders
To mitigate the risks posed by HiatusRAT, the FBI provided a set of recommendations to cybersecurity teams and system administrators.
Key recommendations include:
- Isolate vulnerable devices: Keep web cameras and DVRs isolated from critical systems.
- Limit internet exposure: Restrict unnecessary remote access to IoT devices.
- Update firmware and passwords: Apply security patches where available and avoid using weak vendor-supplied passwords.
The FBI is urging organizations to report any signs of compromise to the Internet Crime Complaint Center (IC3) or their nearest FBI field office.
Widening Scope of HiatusRAT’s Campaign
This latest campaign is part of an ongoing strategy by threat actors to exploit IoT devices for malicious purposes. Earlier this year, in March 2024, HiatusRAT actors launched similar scanning operations across the United States, Australia, Canada, New Zealand, and the United Kingdom.
In previous attacks, the malware infected devices such as DrayTek Vigor VPN routers, using them to build covert SOCKS5 proxy networks. The proxies enabled communication with command-and-control (C2) servers while masking malicious traffic. Lumen Technologies, the cybersecurity firm that initially discovered HiatusRAT, emphasized its ability to deploy additional malware payloads after infection.
Recent reconnaissance attacks also included attempts to breach a U.S. Defense Department server, highlighting the sophistication and broader ambitions of this campaign.
Strategic Links to Chinese Cyber Interests
While the FBI’s advisory avoids pointing fingers directly, experts believe the malware’s behavior aligns with Chinese strategic objectives. This connection was reinforced in the 2023 annual threat assessment released by the Office of the Director of National Intelligence (ODNI).
The ODNI report emphasized China’s focus on leveraging cyber operations to gather intelligence, disrupt infrastructure, and advance state-sponsored interests. HiatusRAT’s evolving targets—ranging from defense systems to commercial IoT devices—mirror these priorities.
“By targeting vulnerable IoT infrastructure, threat actors gain a foothold in networks, enabling persistent surveillance and control,” a cybersecurity analyst explained. “This is not just a nuisance attack—it’s strategic and calculated.”
How the Malware Works: Technical Overview
At its core, HiatusRAT malware converts compromised devices into communication proxies. Here’s how it operates:
- Scanning Phase: The attackers use tools like Ingram to identify devices with open vulnerabilities.
- Brute-Force Entry: Medusa helps bypass weak or default passwords.
- Payload Deployment: Once inside, HiatusRAT deploys additional malware.
- Proxy Network Creation: The infected devices act as SOCKS5 proxies, facilitating command-and-control communication without detection.
This combination of reconnaissance, exploitation, and persistence makes HiatusRAT particularly dangerous for both individual users and enterprise networks.
Growing Threat for IoT Networks
The increase in IoT device usage has amplified cybersecurity concerns. Many of these devices lack robust security measures or receive limited updates after deployment. The HiatusRAT campaign underscores how such vulnerabilities can be weaponized at scale.
Organizations relying on IoT systems for surveillance or operational functions must now contend with the risks of compromise. For businesses, compromised web cameras or DVRs could provide attackers with unauthorized access to sensitive networks.
For consumers, devices with exposed vulnerabilities could become part of larger botnets or act as intermediaries in other cyberattacks.
The FBI’s warning serves as a timely reminder to prioritize IoT security and take proactive measures against escalating malware campaigns.