The FBI has issued a fresh alert on the HiatusRAT malware targeting years-old vulnerabilities in web cameras and DVR systems.
Initially detailed last year, HiatusRAT has been active since mid-2022, hitting hundreds of organizations in Europe, Latin America, and the US, mainly by exploiting vulnerable high-bandwidth routers.
Last year, HiatusRAT’s operators were seen performing reconnaissance against a US military procurement system and targeting Taiwan-based organizations in the government, semiconductor, and chemical manufacturing sectors.
According to the FBI’s alert (PDF), in March 2024 the threat actors were seen scanning the internet for web cameras and DVRs affected by known issues, including defects in CISA’s Known Exploited Vulnerabilities catalog, or using weak vendor-supplied credentials.
They used the Ingram scanning tool to mainly target Xiongmai and Hikvision devices with telnet access in the Five Eyes intelligence alliance countries, looking for those impacted by vulnerabilities such as CVE-2017-7921, CVE-2018-9995, CVE-2020-25078, CVE-2021-33044, and CVE-2021-36260.
Many of these flaws have not been mitigated by the vendors and affect multiple device brands. CVE-2018-9995, for instance, impacts CeNova, DVR Login, HVR Login, MDVR Login, Night OWL, Novo, Pulnix, QSee, Securus, and XVR 5 in 1, which are rebranded versions of original TBK devices, the FBI says.
In addition to scanning for these vulnerabilities, the HiatusRAT operators employed the open source brute-force authentication cracking tool Medusa to target Hikvision cameras with telnet access.
The FBI recommends that all organizations scan their environments for devices impacted by these vulnerabilities and remove or isolate them from the rest of the network.
They should also employ cybersecurity best practices, which include reviewing policies, implementing patch management and network segmentation, regularly rotating credentials, enforcing strong password policies, implementing multi-factor authentication (MFA), using monitoring tools, auditing administrative accounts, closing unused ports, keeping systems and applications updated, and auditing logs.
Related: Bootloader Vulnerability Impacts Over 100 Cisco Switches
Related: Watch Now: Shield Your Data, Secure Your Future: A Multi-Layered Approach to Operational Resilience
Related: Researchers Publish Details on Recent Critical Hyper-V Vulnerability
Related: Protection Is No Longer Straightforward – Why More Cybersecurity Solutions Must Incorporate Context
