The FBI Cyber Division released a private industry notification on December 16, 2024, warning organizations discussing HiatusRAT1 scanning campaigns.
What happened
The HiatusRAT campaign is a sophisticated series of cyberattacks involving a Remote Access Trojan (RAT) used by malicious actors to gain access and control targeted devices. The campaign has been active since at least July 2022, initially targeting outdated network edge devices. HiatusRAT was employed to conduct reconnaissance against a U.S. government server used to submit and retrieve defense contract proposals and passively collect traffic from compromised devices.
By March 2024, HiatusRAT actors expanded their operations to include scanning Internet of Things devices in the United States, Australia, Canada, New Zealand, and the United Kingdom. The scanning campaign specifically targeted vulnerabilities in Chinese branded web cameras and digital video recorders, particularly from manufacturers Xiongmai and Hikvision. The attackers exploited vulnerabilities such as CVE-2017-7921, CVE-2018-9995, CVE-2020-25078, CVE-2021-33044, and CVE-2021-36260. These vulnerabilities allowed unauthorized access, password disclosure, and command injection. Many of these vulnerabilities remain unpatched by the manufacturers, leaving devices susceptible to exploitation.
What was said
According to the guidance document, “In particular, the actors targeted Xiongmai and Hikvision devices with telnet access. They used Ingram—a webcam-scanning tool available on Github—to conduct scanning activity. And they used Medusa—an open-source brute-force authentication cracking tool—to target Hikvision cameras with telnet access.”
The big picture for the healthcare sector
Healthcare organizations increasingly adopt Internet of Things (IoT) devices to improve operational efficiency. The HiatusRAT poses a threat to outdated or poorly secured devices potentially allowing malicious actors to gain unauthorized access to protected health information (PHI). The notification also provides insight into the need for proactive cybersecurity practices.
Related: HIPAA Compliant Email: The Definitive Guide
FAQs
What are IOCs and why should they be reported?
Indicators of compromise are pieces of forensic evidence that suggest a system may have been breached, and they should be reported to help cybersecurity teams detect and respond to potential security incidents.
How can organizations protect themselves from HiatusRAT?
Organizations can protect themselves by updating and patching devices and isolating vulnerable devices mentioned in the guidance.
What is the risk associated with audio-visual equipment being compromised in healthcare practices?
The risk is the potential access to footage that could expose patient information, operational activities, and lead to the exposure of facility security measures that can later be used for a larger scale breach.
Kirsten Peremore
