Introduction
The FBI has issued a warning regarding an ongoing malware campaign involving the Hiatus Remote Access Trojan (HiatusRAT), which has been active since March 2023. This campaign targets vulnerabilities in edge devices, particularly those found in Chinese-branded web cameras and digital video recorders (DVRs) [4]. The malware exploits weaknesses such as improper authentication, outdated firmware [4] [5], and weak or default passwords [4], posing significant risks to affected devices.
Description
The FBI has issued a warning about an ongoing malware campaign involving the Hiatus Remote Access Trojan (HiatusRAT), which has been active since March 2023. This malware specifically targets vulnerabilities in edge devices, particularly Chinese-branded web cameras and digital video recorders (DVRs) from manufacturers such as Xiongmai [4], Hikvision [1] [2] [4] [5], TBK Vision [5], and D-Link [5]. The campaign exploits weaknesses like improper authentication, outdated firmware [4] [5], and weak or default passwords [4], with many of these vulnerabilities remaining unpatched.
In March 2024 [1] [2], HiatusRAT actors conducted a scanning campaign aimed at these devices across the United States [1], Australia [1] [2] [3] [4] [5], Canada [1] [2] [3] [4] [5], New Zealand [1] [2] [3] [4] [5], and the United Kingdom [2] [3] [4] [5]. Initially focusing on outdated network edge devices [1] [3], the campaign has also affected various organizations in Taiwan and included reconnaissance against a US government server related to defense contract proposals. The FBI identified five known vulnerabilities: CVE-2017-7921 [5], CVE-2018-9995 [1] [4] [5], CVE-2020-25078 [1] [5], CVE-2021-33044 [1] [5], and CVE-2021-36260 [1] [5]. Among these [3] [5], CVE-2020-25078 is rated as high risk [5], while CVE-2018-9995 [4] [5], CVE-2021-33044 [1] [5], and CVE-2021-36260 score 9.8 [5], with CVE-2017-7921 achieving a perfect score of 10 [5].
The attackers scanned web cameras and DVRs for these vulnerabilities, particularly exploiting weak vendor-supplied passwords in older, end-of-life devices [3]. The FBI emphasizes the importance of updating firmware, replacing unsupported models [4], and enforcing strong password policies to mitigate risks. Additionally, the agency highlights the critical need for implementing multi-factor authentication, segmenting networks [4], monitoring traffic for abnormal activities [4], and disabling unused remote access ports [4].
Attackers have utilized open-source tools like Ingram [2], a webcam-scanning tool available on GitHub [1], and Medusa [1] [4], an open-source brute-force authentication cracking tool [1], to target Hikvision cameras with Telnet access [1]. Notably, some devices lack access to updated firmware from manufacturers to address these vulnerabilities [5], with TBK Vision not patching CVE-2018-9995 and Hikvision failing to address CVE-2017-7921 for all affected models [5]. D-Link has also not provided updates for certain models that have reached the end of their life cycle concerning CVE-2020-25078 [5].
The FBI advises users to limit the use of these devices [2], isolate them from their networks [2], and adopt robust cybersecurity practices [2], including regular updates and strong password policies [2], especially for organizations relying on IoT devices for surveillance or operational purposes [4], as these devices are highly susceptible to exploitation [4]. Despite the known vulnerabilities [2], many manufacturers have been slow to implement necessary patches [2], leaving users exposed to ongoing risks [2].
Conclusion
The ongoing HiatusRAT malware campaign underscores the critical need for vigilance in cybersecurity practices, particularly concerning IoT devices. The exploitation of vulnerabilities in edge devices highlights the importance of regular firmware updates, strong password policies [2] [4], and network segmentation. As manufacturers lag in providing necessary patches, users must proactively mitigate risks by isolating vulnerable devices and implementing robust security measures. The future landscape of cybersecurity will increasingly depend on the timely addressing of such vulnerabilities to protect against evolving threats.
References
[1] https://www.infosecurity-magazine.com/news/webcams-vulnerable-hiatusrat-fbi/
[2] https://b2bdaily.com/it/are-your-chinese-made-web-cameras-being-controlled-by-rats/
[3] https://www.aha.org/news/headline/2024-12-19-fbi-issues-alert-hiatusrat-malware
[4] https://www.wizcase.com/news/fbi-warns-of-hiatusrat-targeting-cameras-and-dvrs/
[5] https://www.ithome.com.tw/news/166578
