The FBI has issued a Private Industry Notification (PIN) regarding new malware campaigns targeting Chinese-branded webcams and DVRs, using a remote access trojan (RAT) called HiatusRAT.
This RAT allows cybercriminals to remotely access and control compromised devices. Since its emergence in July 2022, HiatusRAT has been used to infiltrate outdated network devices, specifically targeting Taiwanese organizations and a U.S. government server. Previous campaigns have focused on edge routers, collecting traffic and functioning as covert command-and-control networks. In March 2024, HiatusRAT operators launched a large-scale scanning campaign aimed at webcams and DVRs in several countries, including the U.S., Canada, the UK, Australia, and New Zealand.
The attackers are exploiting security vulnerabilities in devices from vendors such as Hikvision and D-Link, with many flaws going unpatched. Notable vulnerabilities include CVE-2017-7921 (Hikvision cameras), CVE-2020-25078 (D-Link devices), and others. These flaws allow for exploitation via telnet access, an insecure remote access protocol, as well as brute-force attacks. In particular, the hackers have targeted Xiongmai and Hikvision devices using tools like Ingram, a webcam-scanning tool, and Medusa, an open-source brute-force authentication cracking tool. The scanning campaign targeted several TCP ports, including 23, 26, 554, and others.
To mitigate these threats, the FBI advises organizations to limit the use of the affected devices and isolate them from their networks. Companies should regularly monitor their networks, enforce strong cybersecurity practices, and keep security policies, user agreements, and patching plans up-to-date. Additionally, patching operating systems, software, and firmware promptly, changing network system and account passwords regularly, and implementing multi-factor authentication whenever possible are crucial steps in defending against these cyber threats.