The Federal Bureau of Investigation (FBI) has issued a critical security advisory regarding HiatusRAT malware, which has expanded its targeting scope to include vulnerable internet-exposed security cameras and Digital Video Recorders (DVRs). The campaign specifically targets devices in five English-speaking countries, representing a significant escalation in IoT-focused cyber attacks affecting both enterprise and consumer security systems.
HiatusRAT Evolution and Capabilities
Initially discovered by Lumen researchers in 2023, HiatusRAT has undergone substantial evolution from its original focus on DrayTek Vigor routers. The malware’s capabilities now include deploying additional malicious payloads and establishing SOCKS5 proxy servers on compromised devices, creating a robust infrastructure for command-and-control (C2) communications. The FBI advisory, published via the Internet Crime Complaint Center (IC3), details the technical scope of the threat.
Strategic Targeting and Geographic Focus
As of March 2024, HiatusRAT operators launched an extensive IoT device scanning campaign targeting the United States, Australia, Canada, New Zealand, and the United Kingdom. The campaign specifically focuses on devices manufactured by Hikvision and Xiongmai, particularly those with exposed telnet access.
Critical Vulnerabilities Under Exploitation
The threat actors are actively exploiting multiple critical vulnerabilities, including CVE-2017-7921, CVE-2018-9995, CVE-2020-25078, CVE-2021-33044, and CVE-2021-36260. Of particular concern is CVE-2018-9995, which affects a broad range of surveillance equipment brands utilizing TBK technology, including CeNova, Night OWL, and QSee devices.
Technical Attack Vector Analysis
The attackers utilize open-source tools such as Ingram for camera vulnerability scanning and Medusa for password brute-forcing. Operations target specific TCP ports (23, 26, 554, 2323, 567, 5523, 8080, 9530, and 56575), indicating a systematic attack methodology. Additional threat intelligence is tracked in the NVD entry for CVE-2021-36260, a critical Hikvision command injection flaw with a CVSS score of 9.8.
Who Is at Risk
The following device categories face the highest exposure to HiatusRAT attacks:
- Hikvision IP cameras running firmware versions prior to the 2021 security patch;
- Xiongmai-based DVRs and NVRs accessible via telnet on public IP addresses;
- Any surveillance device using TBK OEM hardware under brands CeNova, Night OWL, Pulsar, Roveri, or QSee;
- IoT devices with default credentials that have never been changed since installation;
- Systems in US, Australian, Canadian, New Zealand, and UK networks with ports 23, 554, or 8080 exposed to the internet.
Protective Measures and Recommended Actions
Security teams should take the following concrete steps immediately:
- Audit all internet-facing camera and DVR systems and disable telnet access (TCP 23 and 2323) at the firewall level;
- Apply the latest firmware updates for all Hikvision and Xiongmai devices — critical patches for the listed CVEs are available from vendor portals;
- Replace all default credentials with unique, complex passwords of at least 16 characters;
- Isolate surveillance systems on a dedicated VLAN with no direct route to corporate or home networks;
- Monitor outbound traffic from camera subnets for unexpected SOCKS5 proxy activity or connections to unknown external IPs.
