Full Report
The FBI has issued a warning about the Hiatus RAT malware targeting Xiongmai and Hikvision web cameras and DVRs, urging users isolate these devices from networks
Analysis Summary
# Incident Report: HiatusRAT Campaign Targeting IoT Devices
## Executive Summary
The FBI has issued a warning regarding an ongoing campaign utilizing the Hiatus Remote Access Trojan (RAT) to target vulnerable Internet of Things (IoT) devices, specifically Chinese-branded webcams and DVRs (notably Xiongmai and Hikvision). The primary attack vector involves exploiting known CVEs and weak vendor-supplied default passwords accessible via telnet. The scope includes victims across the US, Australia, Canada, New Zealand, and the UK, with observations of preceding reconnaissance against Taiwanese organizations and a US defense contract server. Response primarily involves vendor-agnostic strengthening of IoT security policies and device replacement for unsupported hardware.
## Incident Details
- Discovery Date: March 2024 (Start date of the latest scanning campaign mentioned)
- Incident Date: HiatusRAT has been in use since 2022; active targeting noted around March 2024.
- Affected Organization: Generic Chinese-branded web cameras and DVRs (Xiongmai, Hikvision specifically named). Reconnaissance observed against a US government server for defense contracts.
- Sector: Broadly affects any sector utilizing vulnerable IoT devices (e.g., Surveillance, Government Contractors).
- Geography: US, Australia, Canada, New Zealand, UK, and Taiwan (organizations targeted for reconnaissance).
## Timeline of Events
### Initial Access
- Date/Time: Campaign initiated scanning in March 2024 (for the latest iteration).
- Vector: Exploitation of known vulnerabilities and default vendor credentials on publicly accessible network edge IoT devices.
- Details: Scanned for vulnerabilities including CVE-2017-7921, CVE-2018-9995, CVE-2020-25078, CVE-2021-33044, and CVE-2021-36260. Also exploited weak vendor-supplied passwords.
### Lateral Movement
- Not explicitly detailed, but RATs are commonly used for remote takeover and control, implying post-exploitation access and potential internal network movement if devices are not isolated.
### Data Exfiltration/Impact
- Impact is centered around remote takeover and control of the targeted camera/DVR systems via HiatusRAT. Specific data exfiltration details are not provided, but the objective of a RAT is usually persistent remote command execution and espionage.
### Detection & Response
- Detection: Identified via FBI Private Industry Notification based on observed scanning campaigns and ongoing malware activity.
- Response actions taken: FBI urged limiting the use of targeted devices and immediate isolation from corporate networks.
## Attack Methodology
- Initial Access: Vulnerability Exploitation (CVEs listed) and Credential Stuffing/Brute Force against telnet access (using Medusa tool).
- Persistence: Deployment of HiatusRAT (mechanism implied by RAT functionality).
- Privilege Escalation: Not explicitly stated, but assumed elevated access necessary for full RAT functionality on the device.
- Defense Evasion: Not detailed, but modern RATs generally possess mechanisms to remain undetected on compromised hosts.
- Credential Access: Implied via brute-forcing weak vendor passwords against telnet services.
- Discovery: Reconnaissance performed using the Ingram webcam-scanning tool.
- Lateral Movement: Not specifically detailed, but the original Hiatus campaign targeted outdated network edge devices.
- Collection: Deployment of HiatusRAT allows for remote command/control, facilitating collection.
- Exfiltration: Not detailed, typical of a RAT deployment focused on gaining control.
- Impact: Remote device takeover and control.
## Impact Assessment
- Financial: Not available.
- Data Breach: Potential exposure of video feeds and data stored on DVRs; threat actors gained remote control over surveillance infrastructure.
- Operational: Risk of surveillance disruption or misuse of devices for further attack.
- Reputational: High risk, especially for manufacturers (Xiongmai, Hikvision) and organizations caught using unsupported/vulnerable equipment.
## Indicators of Compromise
- Network indicators: (No defanged IPs/URLs provided in the article, but scanning involved targeting webcams/DVRs accessible over the internet.)
- File indicators: HiatusRAT malware artifacts.
- Behavioral indicators: Network scanning activity using Ingram or brute-force login attempts (using Medusa against telnet).
## Response Actions
- Containment measures: FBI urged organizations to isolate vulnerable IoT devices from networks.
- Eradication steps: Not explicitly detailed, but replacement is recommended if patches are unavailable.
- Recovery actions: Consider replacing unsupported systems with actively supported models.
## Lessons Learned
- Key takeaways: Unpatched, end-of-life IoT devices (like older webcams/DVRs) remain a significant, persistent threat vector, often accessible via default or weak credentials.
- What could have been done better: Manufacturers need to rapidly provide patches for critical/known vulnerabilities (several listed are years old); users must stop relying on unsupported hardware.
## Recommendations
- Review or establish strong security policies, user agreements, and patching plans for all network assets.
- Immediately patch and update operating systems, software, and firmware when manufacturer updates are available.
- Immediately remove devices from the network if they are no longer supported by the manufacturer.
- Regularly change default/weak system and account passwords, and enforce Multifactor Authentication (MFA) where available.
- Implement robust network security monitoring tools that log and analyze traffic, especially to and from IoT devices.
- Ensure antivirus/anti-malware solutions are automatically updated and run regular scans.
- Create and test offline backups of critical assets.