FBI: How to stop HiatusRAT nibbling at your China-branded web cameras

The US Federal Bureau of Investigation (FBI) has issued an urgent warning about a "scanning campaign" targeting Chinese-branded web cameras.

Shadowy and unidentified threat actors have been leveraging a Remote Access Trojan (RAT) called HiatusRAT to seize control of cameras and digital video recorders (DVRs), the agency warned.

"Malicious cyber actors commonly use RATs to take over and control a targeted device from a distance," it wrote.

HiatusRAT was initially used to target outdated network edge devices. Cybersecurity firms have also observed this malware being used to target organisations in Taiwan and conduct reconnaissance on a US government server used for submitting and retrieving defence contract proposals.

The FBI did not reveal whether the RAT was directly linked to the Chinese state - which does not exactly seem like a remote possibility.

After all, if you were a nation looking to spy on an opponent, wouldn't you flood its market with cheap cameras and then give yourself a little keyhole to peep through?

However, attribution remains unconfirmed so please treat that as conjecture.

In an announcement coordinated with DHS and CISA, the agency issued a Private Industry Notification to help cyber security professionals and system administrators "guard against the persistent malicious actions of cyber actors".

In March 2024, HiatusRAT actors conducted a scanning campaign targeting Internet of Things (IoT) devices in the US, Australia, Canada, New Zealand, and the United Kingdom.

They targeted unpatched vulnerabilities listed below as well as weak vendor-supplied passwords.

CVE-2017-7921: An improper authentication issue in security cameras and other devices from Hikvision. It occurs when an application does not adequately or correctly authenticate users. This may allow a malicious user to escalate his or her privileges on the system and gain access to sensitive information.

 CVE-2018-9995: A flaw in the TBK DVR4104 and DVR4216 digital video cameras, as well as rebranded versions from Novo, CeNova, QSee, Pulnix, XVR 5 in 1, Securus, Night OWL, DVR Login, HVR Login and MDVR Login. It could allow remote attackers to bypass authentication.

CVE-2020-25078: An issue was discovered on D-Link DCS-2530L camera before 1.06.01 Hotfix and DCS-2670L through 2.02 devices. The unauthenticated /config/getuser endpoint allows for remote administrator password disclosure.

CVE-2021-33044: Identity authentication bypass vulnerability found in some Dahua products during the login process. Attackers can bypass device identity authentication by constructing malicious data packets.

CVE-2021-36260: A command injection vulnerability in the web server of some Hikvision products. Due to the insufficient input validation, attacker can exploit the vulnerability to launch a command injection attack by sending some messages with malicious commands.

Mitigating HiatusRAT

The FBI gave the following guidance.

• Review or establish security policies, user agreements, and patching plans to address threats posed by these and other malicious cyber actors.
• Patch and update operating systems, software, and firmware as soon as manufacturer updates are available. If devices are no longer supported by the manufacturer, consider removing them from your network.
• Regularly change network system and account passwords, and avoid re-using passwords for multiple accounts. Avoid using default passwords for these devices and/or weak passwords.
• Enforce a strong password policy, such as requiring strong and unique passwords for all password-protected accounts, changing default usernames and passwords, employing lock-out rules for failed login attempts, restricting the reuse of passwords, and requiring the secure storage of passwords.
• Require multi-factor authentication wherever possible.
• Implement security monitoring tools that log network traffic to establish baseline activity, and that enable detecting and addressing abnormal network activity, including lateral movement on a network.
• Capture and monitor remote access/Remote Desktop Protocol (RDP) logs and disable unused remote access/RDP ports.
• Implement listing policies for applications and remote access that only allow systems to execute known and permitted programs under an established security policy.
• Capture and regularly audit administrative user accounts and configure access controls under the concept of least privilege. Account privileges should be clearly defined and regularly reviewed and adjusted as necessary.
• Capture and regularly audit logs to ensure new accounts are legitimate users and to baseline legitimate user activity.
• Scan networks for open and listening ports, and mediate those that are unnecessary.
• Identify and create offline backups for critical assets.
• Implement network segmentation wherever possible. If physical network segmentation cannot be accomplished, consider logical segmentation.
• Automatically update antivirus and anti-malware solutions and conduct regular virus and malware scans.

Have you got a story to share? Get in touch and let us know. 

Follow Machine on X, BlueSky and LinkedIn