RATs can sniff out your Chinese-made web cameras: here’s how to defend yourself


Malicious campaigns are attacking Chinese-branded IoT devices – web cameras and DVRs – to crack authentication. Unfortunately, vendors are seemingly not in a rush to patch the targeted vulnerabilities.

The FBI has issued a notification about a Remote Access Trojans (RATs) attack that targets Chinese-branded web cameras and DVRs, such as Hikvision and Xiongmai devices with telnet access.

In March 2024, threat actors used a type of RAT named HiatusRAT to target Internet of Things (IoT) devices across the US, Australia, Canada, New Zealand, and the United Kingdom.

ADVERTISEMENT

Attackers scanned the devices for weak vendor-supplied passwords and vulnerabilities to bypass authentication and inject commands. They used Ingram, a webcam-scanning tool available on GitHub, to carry out scanning activities.

Cybersecurity companies have also reported that these actors are deploying malware to target various organizations in Taiwan and conducting reconnaissance on a US government server used to submit and access defense contract proposals.

The malware’s latest iteration has been circulating since July 2022. The Hiatus campaign initially targeted outdated network edge devices. Many of the targeted vulnerabilities remain unpatched by the vendors.

Paulius Grinkevicius Gintaras Radauskas vilius jurgita
Don’t miss our latest stories on Google News

What if you own a Hikvision or Xiongmai device?

If you happen to own one of the previously mentioned devices, the FBI recommends limiting its use and isolating it from the rest of your network to mitigate the risks related to the HiatusRAT.

FBI provides guidelines for best cybersecurity practices that could help users and organizations to protect themselves against the potential attack:

  • Review or establish security policies, user agreements, and patch management plans to mitigate threats posed by these and other malicious cyber actors.
  • Promptly patch and update operating systems, software, and firmware as soon as the manufacturer releases updates. Consider removing devices no longer supported by the manufacturer from your network.
  • Regularly update network system and account passwords, and avoid reusing passwords across multiple accounts. Replace default or weak passwords with strong, unique credentials.
  • Enforce a robust password policy that includes using strong, unique passwords for all protected accounts, changing default credentials, implementing lockout mechanisms for failed login attempts, preventing password reuse, and securely storing passwords.
  • Enable multi-factor authentication (MFA) wherever possible.
  • Deploy security monitoring tools to log and analyze network traffic, establish baseline activity, and detect anomalies such as lateral network movement.
  • Monitor and review remote access/Remote Desktop Protocol (RDP) logs regularly, and disable unused remote access or RDP ports.
  • Implement application and remote access allowlisting policies to ensure only authorized programs are executed under an established security framework.
  • Regularly audit administrative user accounts, define access privileges based on the principle of least privilege, and adjust permissions as needed.
  • Monitor and audit logs consistently to verify the legitimacy of new accounts and to establish baselines for normal user activity.
  • Conduct network scans to identify open and listening ports, and disable any that are unnecessary.
ADVERTISEMENT