The FBI has issued a warning that Hiatus remote access trojan (RAT) malware has been observed targeting Chinese-branded web cameras and DVRs.
Specifically, the actors have targeted Xiongmai and Hikvision devices with telnet access.
The FBI has urged limiting the use of such devices and isolating them from the networks.
In a Private Industry Notification, the Bureau warned that in March 2024, HiatusRAT actors conducted a scanning campaign targeting Internet of Things (IoT) devices in the US, Australia, Canada, New Zealand and the UK.
The latest iteration of HiatusRAT has been employed since 2022.
Cybersecurity companies have also observed these actors using the malware to target a range of Taiwan-based organizations and to carry out reconnaissance against a US government server used for submitting and retrieving defense contract proposals.
The actors scanned web cameras and DVRs for vulnerabilities including:
- CVE-2017-7921
- CVE-2018-9995
- CVE-2020-25078
- CVE-2021-33044
- CVE-2021-36260
They also looked to exploit weak vendor-supplied passwords.
Some of the vulnerabilities currently have no security updates to address the flaws, in which case the FBI recommended users replace these systems with actively supported models.
The FBI said the perpetrators have used Ingram, a webcam-scanning tool available on Github, to conduct scanning activity.
They also used Medusa, an open-source brute-force authentication cracking tool, to target Hikvision cameras with telnet access.
Malicious cyber actors commonly use RATs to take over and control a targeted device from a distance.
The Hiatus campaign originally targeted outdated network edge devices, the FBI notice explained.
How to Protect IoT Devices
The proliferation of IoT devices has introduced new security risks and vulnerabilities to organizations.
To mitigate these risks, the FBI recommended organizations take the following steps:
- Review or establish security policies, user agreements and patching plans
- Patch and update operating systems, software and firmware as soon as manufacturer updates are available
- If devices are no longer supported by the manufacturer, consider removing them from your network
- Regularly change network system and account passwords
- Require multifactor authentication (MFA) where possible
- Implement security monitoring tools that log network traffic
- Automatically update antivirus and anti-malware solutions and conduct regular virus and malware scans
- Create offline backups of critical assets