FBI Warns: HiatusRAT Targets Webcams and DVR Devices
The Federal Bureau of Investigation (FBI) has issued a warning about a new threat targeting webcams and digital video recorders (DVR). This threat, known as the HiatusRAT malware, allows cybercriminals to remotely control these devices.
The activity of HiatusRAT has been observed since July 2022. Initially, this sophisticated malware targeted outdated network edge devices. However, it has now escalated to conducting reconnaissance attacks on U.S. government servers used for defense contracts and various organizations in Taiwan.
In March 2024, HiatusRAT operators launched a large-scale scanning campaign in the United States, Australia, Canada, New Zealand, and the United Kingdom. The primary targets of these attacks were Internet of Things (IoT) devices connected to the internet, particularly webcams and DVRs manufactured in China.
HiatusRAT specifically targets devices with Telnet access, including those from Xiongmai and Hikvision. These attacks utilized tools such as “Ingram” (available on GitHub) and “Medusa” (an open-source password-cracking tool), as well as exploited several critical vulnerabilities:
- CVE-2017-7921: Authentication flaw in Hikvision cameras.
- CVE-2018-9995: Authentication bypass vulnerability in several DVR brands.
- CVE-2020-25078: Remote administrator password disclosure vulnerability in certain D-Link cameras.
- CVE-2021-33044: Authentication bypass issue in Dahua products.
- CVE-2021-36260: Command injection vulnerability via web server in Hikvision products.
HiatusRAT uses scanning tools to identify vulnerabilities in IoT devices and, once in control, can perform the following tasks:
- Read and modify data on the device.
- Install additional malware.
- Conduct attacks on other devices within the network.
- Use the device for Distributed Denial-of-Service (DDoS) attacks.
Moreover, cybercriminals controlling HiatusRAT can gather information from compromised devices and later use it for further attacks against other organizations. Devices running outdated or unpatched software are particularly vulnerable to this threat.
The FBI recommends the following measures to protect against such attacks:
- Regularly update device systems, applications, and firmware.
- Periodically change network system and account passwords.
- Implement strong password policies and enable two-factor authentication.
- Use security monitoring tools to detect unusual network activity.
- Keep logs of remote connections and analyze them.
- Enforce a policy of using only verified applications.
- Regularly audit administrative accounts.
- Create offline backups of critical data.
- Segment your network as much as possible and implement firewalls between different segments.
IoT devices, including webcams and DVRs, remain easy targets for cybercriminals due to their often minimal security measures and the lack of awareness among users about securing their networks through such devices. Adapting devices to modern security standards and setting strong passwords are critical steps.
To prevent cyberattacks, every organization must regularly analyze its network infrastructure. The FBI emphasizes that any suspicious activity should be immediately reported to the local Cybersecurity Center.