HQ/EMEAFind out how we can help your business
A new HiatusRAT malware campaign targets and compromises vulnerable web cameras and DVRs.
A federal law enforcement agency warned the public about this threat. The virus is targeting Chinese-brand devices with security flaws or those in end-of-life status.
Moreover, the advisory stated that the threat actors operating the new malware campaign launched a scanning operation earlier this year, targeting Internet of Things (IoT) devices in various countries, including the US, Canada, Australia, New Zealand, and the UK.
The campaign’s initial assessment shows that the attackers are looking for webcams and DVRs with vulnerabilities such as CVE-2020-25078, CVE-2017-7921, CVE-2018-9995, CVE-2021-33044, CVE-2021-36260, and weak vendor-supplied passwords.
The HiatusRAT malware campaign targets a couple of specific devices.
According to investigations, the HiatusRAT malware operators primarily target Hikvision and Xiongmai devices with telnet access, utilising Ingram and an open-source web camera vulnerability detection tool. However, their main weapon for this campaign is the notorious tool for brute-force attacks called Medusa.
Further research also revealed that these attacks targeted web cameras and DVRs connected to the Internet via TCP ports 23, 26, 554, 2323, 567, 5523, 8080, 9530, and 56575.
This discovery prompted the FBI to advise network defenders to restrict the use of the devices indicated in today’s PIN and/or isolate them from the rest of their networks to prevent breach and lateral movement efforts that would emerge from a successful HiatusRAT malware infection.
The agency urges system administrators and cybersecurity professionals to report any suspected indicators of compromise (IOC) for the new campaign.
This malicious operation follows two previous waves of attacks, which included a reconnaissance attack targeting a Defense Department server and another in which more than a hundred businesses in North America, Europe, and South America had their DrayTek Vigor VPN routers infected to create a covert proxy network.
On the other hand, the researchers that initially discovered HiatusRAT stated that this malware primarily distributes further payloads on infected devices, converting the compromised computers into SOCKS5 proxies for C2 server connection.
Organisations and users that still utilise the earlier-mentioned flawed devices should avoid using them if they still run on vulnerable versions. The public should avoid using devices that have already reached their end-of-life as they have no fix and are most susceptible to this new cybercriminal campaign.
