The FBI has issued a warning about a new wave of cyberattacks leveraging the HiatusRAT malware, targeting vulnerable internet-connected webcams and digital video recorders (DVRs). The campaign predominantly focuses on Chinese-manufactured devices that have either not received security updates or have reached the end of their service life.
According to the advisory, in March 2024, attackers conducted extensive scans of IoT devices across the United States, Australia, Canada, New Zealand, and the United Kingdom. The primary targets were webcams and DVRs vulnerable to exploits such as CVE-2017-7921, CVE-2018-9995, CVE-2020-25078, CVE-2021-33044, and CVE-2021-36260, as well as devices with weak default passwords set by manufacturers.
The hackers have been actively exploiting devices from brands like Hikvision and Xiongmai via telnet access. Tools such as Ingram, used for identifying webcam vulnerabilities, and Medusa, a brute-force authentication program, have been deployed in these attacks. The cybercriminals target TCP ports 23, 26, 554, 2323, 567, 5523, 8080, 9530, and 56575, which are commonly exposed to the internet.
The FBI advises limiting the use of such devices or isolating them from broader network infrastructure to mitigate risks of compromise and threat propagation. System administrators and cybersecurity professionals are encouraged to report potential indicators of compromise to the FBI’s Internet Crime Complaint Center (IC3) or local bureau offices.
This campaign continues a series of operations, including a prior attack wave on DrayTek Vigor routers, which resulted in the compromise of over a hundred companies across North America, Europe, and South America. HiatusRAT was employed in these attacks to establish covert proxy networks on infected devices.
Researchers at Lumen, who identified HiatusRAT, noted that the malware’s primary purpose is to deploy additional malicious payloads and transform compromised devices into SOCKS5 proxies, facilitating communication with command-and-control (C2) servers. The shifting focus of the attacks and the nature of the data collected align closely with China’s strategic interests.
