IoT, Malware, Endpoint/Device Security

Suspected Chinese malware operation HiatusRAT menacing IoT devices

Cyber war attack on world globe, global computing security, protection from hacking

(Adobe Stock)

A Chinese-backed malware operation is building a botnet out of smart cameras and video boxes.

The FBI said that a group identified as HiatusRAT has been seeding internet-of-things (IoT) devices with malware that allows for remote access and control. Targets include smart cameras and DVR boxes.

In addition to gathering video footage or traffic data from the compromised hardware, attackers can use the edge-facing devices as a foothold to gain access into other hardware on the network and perform further attacks and data exfiltration.

In this case, the FBI believes that the attackers are trying to compromise U.S. government agencies and the private contractors that work with them. It is believed that the threat actors are working on behalf of the Chinese government to infiltrate networks and gather data that would benefit Beijing.

“HiatusRAT is a Remote Access Trojan (RAT) whose latest iteration has likely been employed since July 2022,” the FBI said in its notice on the attack.

“The Hiatus campaign originally targeted outdated network edge devices. Cybersecurity companies have also observed these actors using the malware to target a range of Taiwan-based organizations and to carry out reconnaissance against a U.S. government server used for submitting and retrieving defense contract proposals.”

IoT devices are a popular target for attacks because they rarely receive updates. In many cases administrators do not think to include connected devices in the regular patch cycle and developers will often neglect developing and releasing updates for known CVE vulnerabilities.

This can make IoT hardware a soft spot in networks that are otherwise well-protected and maintained.

In this case, the FBI said that the attackers preyed on a number of known CVE entries, some dating back to as early as 2017. They also exploited devices that had not been changed from the vendor-supplied password.

The feds recommend administrators protect themselves from compromise by following best practices for IoT device security. Many are basic measures, such as regularly checking for patches and removing default password settings.

Others include rotating passwords and checking that devices are not being exposed to the open internet unless absolutely necessary.

Shaun Nichols

A career IT news journalist, Shaun has spent 17 years covering the industry with a specialty in the cybersecurity field.

Related

Vulnerable webcams, DVRs subjected to HiatusRAT intrusions

Threat actors commenced scanning vulnerable online webcams and DVRs in the U.S., Canada, Australia, New Zealand, and the UK impacted by the CVE-2017-7921, CVE-2018-9995, CVE-2020-25078, CVE-2021-33044, and CVE-2021-36260 flaws, as well as default passwords, which were later compromised through the open-source authentication brute-force tool Medusa.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

Related Terms

AdwareAnti-MalwareAntivirus SoftwareBring Your Own Device (BYOD)Ephemeral PortExtranetEndpoint SecurityFirmwareKeyloggerRegistry

You can skip this ad in 5 seconds