Pierluigi Paganini
December 17, 2024
The Federal Bureau of Investigation (FBI) released a Private Industry Notification (PIN) to warn of HiatusRAT malware campaigns targeting Chinese-branded web cameras and DVRs.
The report includes a set of recommendations to mitigate the exposure to the threat behind the current scanning campaigns.
“The Federal Bureau of Investigation (FBI) is releasing this Private Industry Notification (PIN) to highlight HiatusRAT1 scanning campaigns against Chinese-branded web cameras and DVRs.” reads the PIN report. “Private sector partners are encouraged to implement the recommendations listed in the “Mitigation” column of the table below to reduce the likelihood and impact of these attack campaigns.”
The Remote Access Trojan (RAT) has been active since July 2022. In March 2023, Lumen Black Lotus Labs researchers uncovered a sophisticated campaign called “HiatusRAT” that infected over 100 edge networking devices globally. Threat actors leveraged edge routers, or “living on the edge” access, to passively collect traffic and set up a covert C2 infrastructure.
In June 2023, the group started a reconnaissance and targeting activity aimed at a U.S. military procurement system and was spotted targeting Taiwan-based organizations
The choice of the new targets in the latest campaign suggests a strategic interest of the People’s Republic of China according to the 2023 ODNI threat assessment.
The threat actor hosted newly compiled malware on different procured virtual private servers (VPSs). One of these virtual private servers was exclusively employed in attacks against entities across Taiwan, including commercial firms and at least one municipal government organization.
Another VPS node was used to target a U.S. military server used for contract proposals and submissions.. Threat actors appeared to be interested in gathering intelligence about military requirements, with a focus on organizations involved in the Defense Industrial Base (DIB).
“Starting in mid-June through August 2023, Black Lotus Labs observed multiple newly compiled versions of the HiatusRAT malware discovered in the wild. In this latest campaign, our investigation also uncovered prebuilt Hiatus binaries that target new architectures such as Arm, Intel 80386, and x86-64 and previously targeted architectures such as MIPS, MIPS64, and i386.” reads the report published by Black Lotus Labs.
In March 2024, threat actors behind this campaign started targeting Internet of Things (IoT) devices in the US, Australia, Canada, New Zealand, and the United Kingdom. The threat actors attempted to exploit multiple vulnerabilities in DVRs, including CVE-2017-7921, CVE-2018-9995, CVE-2020-25078, CVE-2021-33044, and CVE-2021-36260. Attackers also attempted to exploit weak vendor-supplied passwords.
Threat actors exploited unpatched vulnerabilities in Xiongmai and Hikvision devices, using tools like Ingram for scanning and Medusa for brute-force attacks via Telnet. Targeted TCP ports included 23, 26, 554, 2323, 567, 5523, 8080, 9530, and 56575.
The FBI recommends limiting or isolating vulnerable devices, monitoring networks, and following cybersecurity best practices. Recommendations include timely patching, using strong and unique passwords, enabling multi-factor authentication, implementing security tools to detect abnormal activity, auditing accounts, scanning for open ports, segmenting networks, updating antivirus software, and creating offline backups.
The feds urge to report any signs of compromise to the FBI or IC3.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, HiatusRAT)
