The Federal Bureau of Investigation (FBI) is releasing this Private Industry Notification (PIN) to highlight HiatusRAT scanning campaigns against Chinese-branded web cameras and DVRs.
Private sector partners are encouraged to implement the recommendations listed in the
“Mitigation” column of the table below to reduce the likelihood and impact of these attack
campaigns.
HiatusRAT is a Remote Access Trojan (RAT) whose latest iteration has likely been employed
since July 2022. Malicious cyber actors commonly use RATs to take over and control a targeted device from a distance. The Hiatus campaign originally targeted outdated network edge devices.
Cybersecurity companies have also observed these actors using the malware to target a range of Taiwan-based organizations and to carry out reconnaissance against a U.S. government server used for submitting and retrieving defence contract proposals.
In March 2024, HiatusRAT actors conducted a scanning campaign targeting Internet of Things (IoT) devices in the US, Australia, Canada, New Zealand, and the United Kingdom.
The actors scanned web cameras and DVRs for vulnerabilities, including CVE-2017-7921, CVE-2018-9995, CVE-2020-25078, CVE-2021-33044, CVE-2021-36260, and weak vendor-supplied passwords.
Many of these vulnerabilities have not yet been mitigated by the vendors. In particular, the
actors targeted Xiongmai and Hikvision devices with telnet access. They used Ingram—a
webcam-scanning tool available on Github—to conduct scanning activity. And they used
Medusa—an open-source brute-force authentication cracking tool—to target Hikvision cameras with telnet access.
Targeted TCP ports have included 23, 26, 554, 2323, 567, 5523, 8080, 9530,
and 56575. The actors have demonstrated interest in several CVEs, likely in furtherance of cyber exploitation efforts.
The FBI recommends limiting the use of the devices mentioned in this PIN and/or isolating them from the rest of your network. Companies should also regularly monitor networks and employ best practices for cybersecurity, including the following:
▪ Review or establish security policies, user agreements, and patching plans to address
threats posed by these and other malicious cyber actors.
▪ Patch and update operating systems, software, and firmware as soon as manufacturer
updates are available. If devices are no longer supported by the manufacturer, consider
removing them from your network.
▪ Regularly change network system and account passwords, and avoid re-using passwords
for multiple accounts. Avoid using default passwords for these devices and/or weak
passwords.
▪ Enforce a strong password policy, such as requiring strong and unique passwords for all
password-protected accounts, changing default usernames and passwords, employing
lock-out rules for failed login attempts, restricting the reuse of passwords, and requiring
the secure storage of passwords.
▪ Require multi-factor authentication wherever possible.
▪ Implement security monitoring tools that log network traffic to establish baseline
activity, and that enable detecting and addressing abnormal network activity, including
lateral movement on a network.
▪ Capture and monitor remote access/Remote Desktop Protocol (RDP) logs and disable
unused remote access/RDP ports.
▪ Implement listing policies for applications and remote access that only allow systems to
execute known and permitted programs under an established security policy.
▪ Capture and regularly audit administrative user accounts and configure access controls
under the concept of least privilege. Account privileges should be clearly defined and
regularly reviewed and adjusted as necessary.
▪ Capture and regularly audit logs to ensure new accounts are legitimate users and to
baseline legitimate user activity.
▪ Scan network for open and listening ports, and mediate those that are unnecessary.
