Full Report
The Federal Bureau of Investigation (FBI) published Tuesday a Private Industry Notification (PIN) to spotlight HiatusRAT scanning campaigns... The post FBI warns of HiatusRAT scanning campaigns targeting Chinese-made cameras and DVRs appeared first on Industrial Cyber.
Analysis Summary
# Tool/Technique: HiatusRAT
## Overview
HiatusRAT is a Remote Access Trojan (RAT) used by cybercriminals to remotely take over and control targeted devices. It has been observed in sophisticated campaigns primarily targeting edge networking devices, IoT devices (specifically web cameras and DVRs), and organizations aligned with the strategic interests of the People’s Republic of China.
## Technical Details
- Type: Malware (Remote Access Trojan - RAT)
- Platform: Edge networking devices, web cameras, DVRs, implications for various operating systems based on recompiled samples targeting different architectures.
- Capabilities: Remote control, covert command and control (C2) operations, traffic collection, reconnaissance.
- First Seen: Likely active since July 2022.
## MITRE ATT&CK Mapping
*Note: Specific mappings are inferred based on RAT functionality and observed behavior (reconnaissance, C2 communication).*
- **TA0011 - Command and Control**
- T1071 - Application Layer Protocol
- **TA0009 - Collection**
- T1005 - Data from Local System (Inferred via remote control)
- **TA0008 - Lateral Movement**
- T1570 - Lateral Tool Use (Potentially, if used to pivot)
## Functionality
### Core Capabilities
- Establishing covert command and control (C2) networks using compromised edge routers.
- Remotely controlling targeted devices to execute commands and harvest data.
- Conducting broad scanning campaigns against specific IoT devices (web cameras and DVRs).
### Advanced Features
- Malware samples were recompiled for different architectures, indicating flexibility and persistence.
- The actor incorporated previously identified C2 infrastructure into new deployments on purchased Virtual Private Servers (VPS) for continued operations.
- Used to conduct sophisticated reconnaissance against sensitive targets, including U.S. military procurement systems.
## Indicators of Compromise
- File Hashes: [None explicitly listed in the text]
- File Names: [None explicitly listed in the text]
- Registry Keys: [None explicitly listed in the text]
- Network Indicators: Actors used C2 servers incorporated into VPS nodes. Specific C2 domains/IPs are defanged in this summary.
- Behavioral Indicators: Scanning activity targeting IoT devices using specific vulnerabilities (CVEs) and open ports 23, 26, 554, 2323, 567, 5523, 8080, 9530, and 56575.
## Associated Threat Actors
- PRC-linked cyber actors (as mentioned in NSA/FBI advisories regarding similar botnet activities).
- Threat actors exhibiting targeting patterns aligning with the strategic interests of the People’s Republic of China.
## Detection Methods
- **Signature-based detection:** Monitoring for known HiatusRAT payloads (if hashes become available).
- **Behavioral detection:** Detecting unusual network traffic patterns consistent with remote RAT control, especially over non-standard ports. Monitoring for exploitation attempts related to targeted CVEs on network devices.
- **YARA rules:** [Not explicitly available in the text but standard practice for malware detection.]
## Mitigation Strategies
- Immediately replace vulnerable surveillance systems where vendors have no security updates (e.g., in the case of CVE-2018-9995).
- Download and apply patches/firmware updates from vendors (Dahua, Hikvision) for mitigated CVEs.
- Remove end-of-life/unsupported devices from the network.
- Enforce a strong password policy, change all default credentials, and avoid password reuse.
- Implement Multi-Factor Authentication (MFA) where possible.
- Deploy security monitoring tools to log network traffic, establish baseline activity, and detect abnormal behavior, including lateral movement.
- Monitor remote access/RDP logs, disable unused remote access ports, and implement whitelisting for approved applications.
- Configure access controls based on the principle of least privilege.
## Related Tools/Techniques
- **Ingram:** A webcam-scanning tool available on GitHub, reportedly used by actors involved in the HiatusRAT scanning campaign.
- **Medusa:** An open-source brute-force authentication cracking tool used against Hikvision cameras with telnet access.
- **Volt Typhoon:** Another threat actor group mentioned in context that targeted DrayTek devices around the same time.
---
# Tool/Technique: Ingram (Webcam Scanner)
## Overview
Ingram is a tool observed in use by threat actors associated with the HiatusRAT campaign. It is described as a webcam-scanning tool readily available on GitHub.
## Technical Details
- Type: Attack Tool (Scanner)
- Platform: Unknown (Likely Linux/Windows based on Github availability)
- Capabilities: Scanning web cameras and DVRs for vulnerabilities.
- First Seen: Used in campaigns observed leading up to March 2024.
## MITRE ATT&CK Mapping
- **TA0007 - Discovery**
- T1595 - Active Scanning
- T1595.002 - Internet Service Scanning
## Functionality
### Core Capabilities
- Conducting broad network scanning operations focused specifically on IoT devices like web cameras and DVRs.
### Advanced Features
- Used in conjunction with known exploit targets and brute-force tools (like Medusa) to identify and exploit vulnerable devices.
## Indicators of Compromise
- File Hashes: [Not available]
- File Names: [Not available]
- Registry Keys: [Not applicable]
- Network Indicators: Scans conducted on ports 23, 26, 554, 2323, 567, 5523, 8080, 9530, and 56575.
- Behavioral Indicators: Scanning activity aimed at identifying exploitable vulnerabilities (CVE-2017-7921, CVE-2018-9995, etc.) on IoT firmware.
## Associated Threat Actors
- Threat actors using HiatusRAT.
## Detection Methods
- Detection of the Ingram tool binary on compromised systems.
- Monitoring network traffic for connection attempts to the targeted IoT ports listed above, especially in rapid, iterative scanning patterns.
- [Signatures/YARA rules potentially available based on public GitHub presence.]
## Mitigation Strategies
- Patch or replace devices vulnerable to the listed CVEs.
- Network segmentation of IoT devices from critical infrastructure.
- Implement firewall rules to restrict external scanning access to sensitive ports.
## Related Tools/Techniques
- HiatusRAT
- Medusa
---
# Tool/Technique: Medusa (Brute-Force Tool)
## Overview
Medusa is an open-source tool designed for brute-force authentication cracking. It was observed being used by threat actors to target Hikvision cameras that utilized Telnet access.
## Technical Details
- Type: Attack Tool (Authentication Cracking)
- Platform: Unknown (Open-source suggests cross-platform compatibility, used against network devices)
- Capabilities: Brute-forcing authentication credentials.
- First Seen: Used in campaigns leading up to March 2024.
## MITRE ATT&CK Mapping
- **TA0002 - Credential Access**
- T1110 - Brute Force
- T1110.001 - Password Guessing
## Functionality
### Core Capabilities
- Rapidly attempting combinations of usernames and passwords against network service logins (like Telnet).
### Advanced Features
- Leveraging known weak or default vendor-supplied passwords, often correlated with initial scanning findings.
## Indicators of Compromise
- File Hashes: [Not available]
- File Names: [Not available]
- Registry Keys: [Not applicable]
- Network Indicators: Failed login attempts against service ports, particularly Telnet (TCP 23).
- Behavioral Indicators: High volume of consecutive failed login attempts against SSH or Telnet ports on network camera/DVR systems.
## Associated Threat Actors
- Threat actors using HiatusRAT.
## Detection Methods
- Monitoring for high volumes of failed login attempts on administrative services (Telnet, SSH).
- Implementing account lockout policies after a defined number of failed attempts.
## Mitigation Strategies
- Disable Telnet services if possible.
- Immediately change all default/weak vendor-supplied passwords.
- Enforce complex password policies and avoid password reuse.
## Related Tools/Techniques
- HiatusRAT
- Ingram