HiatusRAT: The Evolving Threat to IoT Devices
A PRC-based threat actor active since 2022 has recently expanded its attack scope to include DVRs and IOT Cameras. These same actors have, in the past, targeted the DIB (Defense Industrial Base) of the US and Taiwan.
Trusted Internet has been reporting on targeting of NVR and Camera systems since day one. In fact, we’ve built a standardized architecture for just this use case.
Hiatus was reported by the March, but the FBI report just came out. Why are we reporting on it?
We had a call from a virtual camera monitoring service last week, two days before Christmas. During that call we described these activities and the need for their company to have commensurate protections in place.
Our SOC reported that two of our clients have seen exploit attempts (that we successfully blocked) against these same IOT vulnerabilities.
Considering this, we thought providing more details and awareness of this attack campaign was worth it. Left unmitigated, these threat actors can cause significant harm to victims, posing a threat to other devices on the network normally protected by a firewall.
What is it? HiatusRAT is a sophisticated Remote Access Trojan (RAT). A Remote Access Trojan (RAT) is malware that hides on your computer, giving an attacker remote control to steal data, spy on you, or use your device for malicious activities.
Why do we care? HiatusRAT RAT (active since July 2022) is now specifically targeting web cameras and DVRs exposed online and on internal networks, focusing primarily on Chinese-branded devices, particularly those manufactured by Xiongmai and Hikvision, which still have telnet access enabled, across several English-speaking countries, including the United States, Australia, Canada, New Zealand, and the United Kingdom.
(NOTE: There’s no reason why a firewall in front of these devices should allow telnet through.)
Exploitation Methods and Tools
The attackers exploit known vulnerabilities, including CVE-2017-7921, CVE-2018-9995, CVE-2020-25078, CVE-2021-33044, and CVE-2021-36260. They also take advantage of weak vendor-supplied passwords. To facilitate their attacks, the threat actors employ open-source tools such as:
· Ingram: Used for web camera vulnerability scanning
· Medusa: Utilized for authentication brute-force attacks
Targeted Ports and Attack Vector
HiatusRAT scans for specific TCP ports exposed to Internet access, including 23, 26, 554, 2323, 567, 5523, 8080, 9530, and 56575. This targeted approach allows the malware to identify and exploit vulnerable devices more efficiently. Trusted Internet’s 24/7 SOC monitors for malicious traffic to these and other ports to protect our customers from this evolving threat.
Implications and Concerns
The FBI's alert underscores the growing sophistication of cyber threats targeting IoT devices. Of particular concern is HiatusRAT's ability to convert infected devices into SOCKS5 proxies, creating a covert proxy network that enables threat actors to maintain a hidden presence in target networks and conduct further malicious activities. They may initially gain access to a network via compromise of an edge router, VPN, or firewall device and then pivot to an IOT camera or DVR device to secure persistence on the internal network on such devices that are rarely patched. Actors can, too, move from a compromised laptop (via spear-phishing or browser attack) to an IOT Camera/DVR on the same network the computer is on.
The malware's focus on devices from specific manufacturers highlights the critical importance of vendor security practices and timely vulnerability patching. Vendors remain unaddressed many of the exploited vulnerabilities, exposing users to potential attacks.
Broader Context and Strategic Implications
HiatusRAT's activities align with suspected Chinese strategic interests, as noted by cybersecurity researchers. The malware has been observed targeting Taiwan-based organizations and conducting reconnaissance against a US government server used for defense contract proposals, suggesting potential motives of intelligence gathering and cyber espionage.
Mitigation Strategies
The FBI recommends several generic measures to protect against HiatusRAT and similar threats. Here are ours:
Use a NAT’d VLAN on a firewall or UTM to isolate the vulnerable devices from the Internet.
On that firewall, disallow inbound Telnet! Telnet is an old insecure protocol that has been replaced by newer means.
Where possible, implement multi-factor authentication. This is likely not going to work on cameras but might for separate NVR/DVR devices.
Enforce strong password policies. If able, replace default usernames and passwords with strong passwords (and, where possible, MFA described above).
Promptly update firmware and software. While this may or may not remove the telnet service, this is always best practice.
As IoT devices become increasingly prevalent in personal and professional settings, the threat posed by malware like HiatusRAT cannot be overstated. Organizations and individuals must remain vigilant and implement robust security measures to protect their IoT infrastructure.
How Trusted Internet Can Protect You from HiatusRAT and Other IoT Threats
The recent rise of HiatusRAT, a malware targeting internet-connected cameras and DVR/NVR systems, highlights the growing dangers to our increasingly interconnected world. But Trusted Internet provides robust solutions to keep your devices and data safe. Here's how:
Proactive Network Security: Default firewall setups won’t do. Trusted Internet can help configure firewalls to isolate vulnerable devices, preventing direct Internet access and significantly reducing your attack surface. We also block outdated protocols like Telnet, closing common entry points for malware.
24/7 Security Monitoring: Our Security Operations Center (SOC) monitors network traffic for suspicious activity, including scans on ports commonly targeted by HiatusRAT. This proactive approach lets us detect and respond to threats before they compromise your devices.
Expert Guidance and Support: We don't just offer tools; we provide expertise. Our team can assess your specific vulnerabilities, recommend tailored mitigation strategies, and assist with implementing best practices like strong passwords, multi-factor authentication (where possible), and timely firmware updates.
Defense Against Evolving Threats: The threat landscape is constantly changing. Trusted Internet stays ahead of the curve, researching and adapting to new malware to ensure your ongoing protection.
With Trusted Internet, you gain a comprehensive security solution that addresses the unique challenges of IoT devices. We provide peace of mind by knowing your systems and data are protected by experienced professionals and cutting-edge technology.
Don't wait to become a victim. Contact Trusted Internet today and secure your connected world.
For more information: staysafeonline@trustedinternet.io