HiatusRAT Actors Targeting Web Cameras and DVRs
The Federal Bureau of Investigation (FBI) is issuing an Private Industry Notification (PIN) to bring attention to HiatusRAT1 scanning campaigns targeting Chinese-branded web cameras and DVRs.
HiatusRAT is a Remote Access Trojan (RAT) that has likely been in use since July 2022. Cybercriminals frequently utilize RATs to remotely access and control targeted devices. Initially, the Hiatus campaign focused on exploiting outdated network edge devices.
In March 2024, HiatusRAT operators launched a scanning campaign aimed at Internet of Things (IoT) devices across the United States, Australia, Canada, New Zealand, and the United Kingdom. The campaign targeted web cameras and DVRs, exploiting vulnerabilities such as CVE-2017-7921, CVE-2018-9995, CVE-2020-25078, CVE-2021-33044, CVE-2021-36260, and weak default passwords supplied by vendors.
Many of these vulnerabilities remain unpatched by the vendors. The attackers specifically focused on Xiongmai and Hikvision devices with telnet access, employing Ingram, a webcam-scanning tool available on GitHub, and Medusa, an open-source brute-force authentication tool, to compromise Hikvision cameras. The targeted TCP ports included 23, 26, 554, 2323, 567, 5523, 8080, 9530, and 56575.
Further details can be found at https://www.ic3.gov/CSA/2024/241216.pdf
Kerry is a Content Creator at www.systemtek.co.uk she has spent many years working in IT support, her main interests are computing, networking and AI.