The FBI has issued a warning regarding a new surge of HiatusRAT malware targeting internet-connected surveillance cameras and DVRs from Chinese brands. The alert, shared through a Private Industry Notification, outlines ongoing scanning campaigns exploiting these vulnerabilities.

Emergence and Persistence

HiatusRAT, which has been active since July 2022, gained traction following its identification by Lumen Black Lotus Labs in March 2023. The campaign targeted over 100 edge networking devices worldwide, using compromised routers to gather data and establish covert command-and-control (C2) operations.

Strategic Targeting

As of June 2023, the threat actors expanded their focus, including reconnaissance on a U.S. military procurement system and attacks on organizations in Taiwan. These actions likely reflect strategic interests identified in the 2023 ODNI threat assessment related to the People's Republic of China.

Technical Deployment

Attackers utilized newly compiled malware hosted on virtual private servers (VPSs). Specific VPSs were designated for targeting Taiwanese entities and U.S. military servers involved in defense contracts, underscoring an effort to collect sensitive military information.

Recent Developments

By March 2024, the campaign widened to include IoT devices across the US, Australia, Canada, New Zealand, and the UK. Exploit attempts concentrated on DVR vulnerabilities (CVE-2017-7921, CVE-2018-9995, among others) and weak default passwords. Attacks also involved unpatched Xiongmai and Hikvision devices, using tools like Ingram and Medusa for network scanning and brute-force attacks.

The FBI emphasizes several mitigation strategies:

Restrict or isolate susceptible devices.

Enhance network monitoring and adhere to cybersecurity best practices.

Implement patches promptly, utilize strong, unique passwords, and activate multi-factor authentication.

The FBI urges organizations and individuals to report suspected compromises to its offices or through the Internet Crime Complaint Center (IC3). This advisory underscores the persistent evolution of cyber threats targeting critical infrastructure and emphasizes the need for proactive defensive measures.

The link has been copied!