The FBI has issued an urgent Private Industry Notification (PIN) warning regarding a new wave of malware attacks from HiatusRAT, a highly sophisticated and evolving cyber threat. The malware primarily targets vulnerable Internet of Things (IoT) devices, such as web cameras and Digital Video Recorders (DVRs), which are exposed to the internet. The attackers are focusing on Chinese-branded devices that have outdated firmware, unpatched security vulnerabilities, or have reached the end of their lifecycle.

According to the FBI's alert, HiatusRAT has been actively scanning for these vulnerable devices across various countries, including the United States, Australia, Canada, New Zealand, and the United Kingdom. The FBI's warning sheds light on the evolving tactics used by cybercriminals to exploit known vulnerabilities and weak security measures.

Technical Analysis

Targeted Devices and Vulnerabilities

The primary targets of HiatusRAT malware are Hikvision and Xiongmai web cameras and DVRs. These devices are typically deployed in surveillance systems and are notorious for having weak or default passwords, and vulnerable ports that are exposed to the internet. The threat actors scan for specific vulnerabilities and then exploit them to compromise the devices.

Some of the known vulnerabilities exploited by HiatusRAT include:

• CVE-2017-7921: A critical vulnerability affecting the video surveillance cameras.
• CVE-2018-9995: A flaw in the device's firmware that can be leveraged to bypass authentication.
• CVE-2020-25078: A remote code execution vulnerability in certain DVR systems.
• CVE-2021-33044: A vulnerability in certain Chinese-branded IoT devices.
• CVE-2021-36260: A known flaw in some IoT video surveillance systems.
• Weak Vendor-Supplied Passwords: Attackers often exploit weak or default login credentials.

These vulnerabilities, particularly the ones affecting Hikvision and Xiongmai devices, are well-documented and have been publicized in security bulletins for years. However, many devices have not received timely security patches, leaving them vulnerable to exploitation.

Attack Tools: Ingram and Medusa

To carry out their attacks, HiatusRAT actors use a combination of open-source tools, most notably Ingram and Medusa.

• Ingram: This open-source vulnerability scanning tool is used by attackers to identify devices with web cameras exposed to the internet. Ingram scans for known vulnerabilities in these devices to exploit weaknesses in the firmware and software.

• Medusa: This is a brute-force password-cracking tool that helps attackers gain unauthorized access to IoT devices by systematically testing different password combinations. By targeting weak or default passwords, the malware compromises the device and installs its payload.

Exploited Ports

The attackers focus on specific TCP ports that are commonly open on devices exposed to the internet. These include:

• 23, 26, 554, 2323, 567, 5523, 8080, 9530, 56575

These ports are typically used for telnet and HTTP services, and when exposed to the internet without proper security controls, they become an easy entry point for cybercriminals.

FBI Recommendations for Network Defenders

In response to these ongoing attacks, the FBI has outlined several best practices for network defenders and system administrators:

1. Limit Use of Vulnerable Devices: Network administrators should limit the exposure of vulnerable IoT devices to the internet. If such devices must be used, they should be isolated from the rest of the network to prevent lateral movement in case of a breach.

2. Update Firmware and Apply Security Patches: Ensure that devices such as web cameras and DVRs are updated with the latest security patches. Devices that are no longer supported by the manufacturer should be replaced or disconnected from the network to prevent exploitation.

3. Monitor for Suspicious Activity: Regularly monitor network traffic for any suspicious activity, including unauthorized attempts to access or control IoT devices.

4. Report Indications of Compromise (IOC): System administrators and cybersecurity professionals are urged to report any suspected incidents of compromise to the FBI's Internet Crime Complaint Center (IC3) or their local FBI field office. This helps track the spread of the malware and prevent further infections.

Impact of HiatusRAT and Broader Threat Landscape

Previous Attacks and Escalating Risk

This wave of HiatusRAT attacks is part of an ongoing series of cyber operations aimed at compromising IoT devices. Prior to this latest campaign, HiatusRAT was involved in several high-profile attacks, including:

• A reconnaissance attack targeting a Department of Defense server.
• Infections of over a hundred businesses from North America, Europe, and South America, where DrayTek Vigor VPN routers were compromised to create a covert proxy network.

These earlier campaigns highlight the evolving nature of HiatusRAT and its increasing focus on deploying additional payloads on infected devices, converting them into SOCKS5 proxies. This allows attackers to channel command-and-control (C2) server communication through compromised systems, making detection and mitigation more difficult.

Link to Chinese Strategic Interests

The FBI's analysis suggests that HiatusRAT's shifting targeting preferences and information-gathering activities align with Chinese strategic interests, as outlined in the 2023 Annual Threat Assessment by the Office of the Director of National Intelligence (ODNI). This suggests that HiatusRAT may be part of broader geopolitical efforts to gather intelligence and maintain a covert presence in the target countries.

Best Practices for Securing IoT Devices

1. Device Isolation and Segmentation

One of the most effective ways to defend against these attacks is to isolate IoT devices from other critical parts of the network. By placing vulnerable devices in a separate network segment with strict access controls, the potential for lateral movement and data exfiltration is reduced.

2. Disabling Unused Services

Telnet and HTTP services on IoT devices should be disabled if not required. If the services are necessary, they should be protected by strong authentication mechanisms and encrypted communications.

3. Multi-Factor Authentication (MFA)

Where possible, enable multi-factor authentication (MFA) for accessing web cameras, DVRs, and other IoT devices. This adds an additional layer of protection against brute-force attacks.

4. Regular Security Audits

Conduct regular security audits and vulnerability assessments to identify outdated firmware, exposed ports, and other weaknesses in IoT devices.

5. User Education

Ensure that all users of IoT devices are educated about the importance of strong passwords and security best practices. Default passwords should be changed immediately upon installation, and weak passwords should be avoided.