Webcams have been a key part of business and home offices everywhere, especially since the COVID pandemic hit. But they are not often high-quality products, especially if used only sporadically, as many consumers and remote workers are content with a cheap one from China. This not only causes regular hardware problems, but it can also be a significant security problem.The FBI warned on Dec. 16 that new HiatusRAT malware attacks are looking for vulnerable web cameras and DVRs accessible online. The criminals behind these remote access Trojan (RAT) attacks aim to infect the devices and use them to create backdoors in computers, for example.In its Private Industry Notification (PIN), the FBI explains that attackers are concentrating their attacks on specific devices from Chinese manufacturers. These often have gaps in security patches or have already reached the end of their lifespan. In anticipation of possible attacks, HiatusRAT actors conducted a broad scanning campaign in March 2024. The target was IoT devices in the US, Australia, Canada, New Zealand, and UK, according to the FBI.The threat actors scanned web cameras and DVRs for vulnerabilities such as
- CVE-2017-7921CVE-2018-9995CVE-2020-25078CVE-2021-33044CVE-2021-36260They also targeted weak passwords preset by the manufacturer.A particular focus was on Hikvision and Xiongmai devices that have Telnet access. The criminals use the open-source tool Ingram to detect vulnerabilities in the web cameras. With Medusa, the attackers use another open-source tool to circumvent authentication.The attacks targeted webcams and DVRs with TCP ports 23, 26, 554, 2323, 567, 5523, 8080, 9530, and 56575 open for Internet access.The campaign is the successor to two large-scale series of attacks: one that targeted a US Department of Defense server in 2023, as Bleeping Computer reported, and another that targeted more than a hundred companies from North America, Europe, and South America whose DrayTek Vigor VPN routers were infected with HiatusRAT to create a covert proxy network.
Mitigation: Restrict and isolate
The FBI advises users and companies to limit the use of the devices specified in the PIN or to isolate them from the rest of their network. This is the only way to prevent attempts to break in and spread malware after successful HiatusRAT attacks.The US agency also urges system administrators and cybersecurity experts to report suspected indicators of compromise (IOCs) to the FBI’s Internet Crime Complaint Center or the respective local FBI field offices.
Rats are dragged into the light
Lumen, a US cybersecurity company, first discovered HiatusRAT in the summer of 2023. The experts found that it is a malware that installs additional malware on infected devices. The hijacked devices are then converted into SOCKS5 proxies for communicating with command-and-control servers.The malware’s goals align with China’s strategic interests in cyber espionage and data theft, according to the US Intelligence Community’s 2023 threat assessment.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/3626676/that-cheap-webcam-hiatusrat-may-be-targeting-it-fbi-warns.html
