Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

FBI Warns of HiatusRAT Attacks on Cameras, DVR Systems

FBI says HiatusRAT’s operators were seen scanning for web cameras and DVR systems affected by years-old vulnerabilities.

FBI malware alert

The FBI has issued a fresh alert on the HiatusRAT malware targeting years-old vulnerabilities in web cameras and DVR systems.

Initially detailed last year, HiatusRAT has been active since mid-2022, hitting hundreds of organizations in Europe, Latin America, and the US, mainly by exploiting vulnerable high-bandwidth routers.

Last year, HiatusRAT’s operators were seen performing reconnaissance against a US military procurement system and targeting Taiwan-based organizations in the government, semiconductor, and chemical manufacturing sectors.

According to the FBI’s alert (PDF), in March 2024 the threat actors were seen scanning the internet for web cameras and DVRs affected by known issues, including defects in CISA’s Known Exploited Vulnerabilities catalog, or using weak vendor-supplied credentials.

They used the Ingram scanning tool to mainly target Xiongmai and Hikvision devices with telnet access in the Five Eyes intelligence alliance countries, looking for those impacted by vulnerabilities such as CVE-2017-7921, CVE-2018-9995, CVE-2020-25078, CVE-2021-33044, and CVE-2021-36260.

Many of these flaws have not been mitigated by the vendors and affect multiple device brands. CVE-2018-9995, for instance, impacts CeNova, DVR Login, HVR Login, MDVR Login, Night OWL, Novo, Pulnix, QSee, Securus, and XVR 5 in 1, which are rebranded versions of original TBK devices, the FBI says.

In addition to scanning for these vulnerabilities, the HiatusRAT operators employed the open source brute-force authentication cracking tool Medusa to target Hikvision cameras with telnet access.

The FBI recommends that all organizations scan their environments for devices impacted by these vulnerabilities and remove or isolate them from the rest of the network.

Advertisement. Scroll to continue reading.

They should also employ cybersecurity best practices, which include reviewing policies, implementing patch management and network segmentation, regularly rotating credentials, enforcing strong password policies, implementing multi-factor authentication (MFA), using monitoring tools, auditing administrative accounts, closing unused ports, keeping systems and applications updated, and auditing logs.

Related: Bootloader Vulnerability Impacts Over 100 Cisco Switches

Related: Watch Now: Shield Your Data, Secure Your Future: A Multi-Layered Approach to Operational Resilience

Related: Researchers Publish Details on Recent Critical Hyper-V Vulnerability

Related: Protection Is No Longer Straightforward – Why More Cybersecurity Solutions Must Incorporate Context

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

Karl Triebes has joined Ivanti as Chief Product Officer.

Steven Hernandez has joined USAID as CISO and Deputy CIO.

Data security and privacy firm Protegrity has named Michael Howard as its CEO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.