FBI Warns of HiatusRAT Targeting Network Devices Worldwide

The Federal Bureau of Investigation (FBI) issued an important Private Industry Notification (PIN), warning organizations about an emerging malware campaign using HiatusRAT as part of an elaborate global malware campaign targeting Chinese-brand web cameras and digital video recorders (DVRs) from different nations across multiple regions.

HiatusRAT has rapidly progressed into an extremely potent cyber threat since July 2022, breaching various network devices including those belonging to US government servers and Taiwanese organizations. Their latest campaign launched in March 2024 has expanded their target reach into multiple jurisdictions such as the US, Canada, UK Australia & New Zealand.

Technical Exploitation Methods

Cybercriminals have multiple attack vectors at their disposal to breach network devices, with particular attention paid to:

• Hikvision cameras
• D-Link devices
• Xiongmai technology products

The hackers exploit multiple unpatched security vulnerabilities, including:

• CVE-2017-7921
• CVE-2020-25078
• CVE-2018-9995
• CVE-2021-33044
• CVE-2021-36260

Advanced Scanning and Brute-Force Techniques

The attackers employ sophisticated tools to breach device security:

• Ingram: A GitHub-based webcam scanning tool
• Medusa: An open-source brute-force authentication cracking tool

They target specific TCP ports, including 23, 26, 554, 2323, 567, 5523, 8080, 9530, and 56575, demonstrating a comprehensive approach to network infiltration.

Recommended Mitigation Strategies

The FBI provides comprehensive guidance for organizations to protect against HiatusRAT:

1. Isolate vulnerable devices from networks
2. Implement multi-factor authentication
3. Enforce strong password policies
4. Regularly update firmware and software
5. Monitor network activities consistently
6. Review and update security policies

Cybersecurity experts, including Sonu Shankar, a former federal critical infrastructure official, are actively collaborating with Chief Information Security Officers (CISOs) to address the escalating threat these malware campaigns pose.