FBI: Watch Out For HiatusRAT Actors Hitting Webcams, DVRs

On Monday, the FBI released a private industry notification warning that actors behind a remote access trojan, HiatusRAT, are targeting Chinese-branded web cameras and DVR (digital video recording) devices.

Key Details: 

• In March 2024, the malware was used in a scanning campaign that targeted IoT devices in the U.S., Australia, Canada, New Zealand and the United Kingdom

• The vulnerable webcam and DVR devices targeted in the campaign either had known (and in some cases, unpatched) vulnerabilities or weak default passwords

• The targeted, internet-exposed TCP ports in this campaign have included: 23, 26, 554, 2323, 567, 5523, 8080, 9530, and 56575

• The most recent version of HiatusRAT, which has been seen in attacks since 2022, has in the past been used to target Taiwan-based organizations and in one case to perform reconnaissance against a U.S. government server, used for submitting and retrieving defense contract proposals

Targeted Flaws: Attackers are targeting the following flaws as part of this campaign.

• CVE-2017-7921 - Several Hikvision devices are vulnerable to an improper authentication bug that can enable bad actors to escalate privileges and access sensitive information. As of Dec. 14, 2024, Hikvision has not mitigated the flaw across all impacted devices (only releasing updates for cameras sold through authorized distributors), according to the FBI

• CVE-2018-9995 - Several TBK DVR devices are vulnerable to an authentication bypass error. There are currently no updates for this flaw; the FBI recommends that users “immediately replace vulnerable surveillance systems with actively supported models”

• CVE-2020-25078 - Certain D-Link devices are vulnerable to an issue that could enable remote administrator password disclosure. Some of these impacted devices are end-of-life, said the FBI

• CVE-2021-33044 - Some Dahua products have an identity authentication bypass bug in the login process, and Dahua has a patch available

• CVE-2021-36260 - Some Hikvision products have a command injection bug, and Hikvision has updated firmware available 

The Background: Attackers used a webcam-scanning tool called Ingram to conduct scanning activity, and an open-source, brute-force authentication cracking tool called Medusa to target vulnerable Hikvision cameras. In an analysis last year of the malware, Lumen Black Lotus Labs researchers said HiatusRAT enables threat actors to remotely interact with targeted systems. Additionally, “it utilizes prebuilt functionality – some of which is highly unusual – to convert the compromised machine into a covert proxy for the threat actor,” said Black Lotus Labs researchers.

Why It Matters: In this campaign, some of the targeted flaws have not yet been mitigated by the vendors. Given the fact that DVRs and webcams are commonly used in enterprise environments and may give access to potentially sensitive data, the FBI recommended limiting the use of these devices or isolating them from the rest of the network.

“Many of these vulnerabilities have not yet been mitigated by the vendors,” according to the FBI. “In particular, the actors targeted Xiongmai and Hikvision devices with telnet access.”