The Federal Bureau of Investigation (FBI) has issued a critical security advisory regarding an emerging threat from HiatusRAT malware, which has expanded its targeting scope to include vulnerable internet-exposed security cameras and Digital Video Recorders (DVRs). This significant development represents a concerning evolution in IoT-focused cyber attacks, potentially affecting both enterprise and consumer security systems.
Understanding HiatusRAT’s Evolution and Capabilities
Initially discovered by Lumen researchers in 2023, HiatusRAT has undergone substantial evolution from its original focus on DrayTek Vigor routers. The malware’s sophisticated capabilities now include deploying additional malicious payloads and establishing SOCKS5 proxy servers on compromised devices, creating a robust infrastructure for command-and-control (C2) communications.
Strategic Targeting and Geographic Focus
As of March 2024, HiatusRAT operators have launched an extensive IoT device scanning campaign targeting five English-speaking nations: the United States, Australia, Canada, New Zealand, and the United Kingdom. The campaign specifically focuses on devices manufactured by Hikvision and Xiongmai, particularly those with exposed telnet access, demonstrating a strategic approach to vulnerability exploitation.
Critical Vulnerabilities Under Exploitation
The threat actors are actively exploiting multiple critical vulnerabilities, including CVE-2017-7921, CVE-2018-9995, CVE-2020-25078, CVE-2021-33044, and CVE-2021-36260. Of particular concern is CVE-2018-9995, which affects a broad range of surveillance equipment brands utilizing TBK technology, including CeNova, Night OWL, and QSee devices.
Technical Attack Vector Analysis
The attackers employ a sophisticated technical approach, utilizing open-source tools such as Ingram for camera vulnerability scanning and Medusa for password brute-forcing. Their operations target specific TCP ports (23, 26, 554, 2323, 567, 5523, 8080, 9530, and 56575), indicating a well-planned and systematic attack methodology.
To mitigate risks associated with HiatusRAT infections, security professionals should implement immediate protective measures, including network segmentation, regular firmware updates, and strong password policies. The FBI strongly recommends isolating vulnerable IoT devices from primary networks and implementing strict access controls to prevent lateral movement within compromised networks. Organizations should also conduct regular security audits and maintain comprehensive asset inventories to identify and protect vulnerable devices before they can be exploited.
