The FBI warned that HiatusRAT malware is actively scanning and infecting internet-exposed webcams and DVRs — targeting Chinese-branded devices with CVEs as old as 2017 that remain unpatched or end-of-life. HN50 also covers a telehealth breach at ConnectOnCall that exposed the protected health information of over 914,000 patients, including names, phone numbers, medical record numbers, health conditions, prescriptions, and Social Security numbers — for nearly three months before discovery.
Stories Covered
FBI Warns: HiatusRAT Malware Actively Targeting Exposed Webcams and DVRs
The FBI issued a private industry notification warning that HiatusRAT threat actors — linked to Chinese strategic interests — are running active scanning campaigns against internet-exposed webcams and DVRs in the US, Australia, Canada, New Zealand, and the UK. Attackers are focusing on Hikvision and Zhongmai devices, using open-source tools — Ingram for webcam vulnerability scanning and Medusa for brute-force authentication — against TCP ports 23, 26, 554, 2323, 567, 5523, 80, 8080, 9530, and 56575. CVEs being actively exploited include vulnerabilities from 2017, 2018, 2020, and 2021, alongside weak or default vendor-supplied credentials.
The threat model here is lateral movement, not just surveillance. A compromised webcam is a foothold on whatever network segment it sits on. HiatusRAT converts infected devices into SOCKS5 proxies for C2 communication and can pivot to other networked devices — escalating from a forgotten corner-of-the-office camera to a machine with meaningful data or privileges. The malware was previously documented targeting DrayTek Vigor VPN routers across North America, Europe, and South America, and a defense department server in a reconnaissance campaign. The webcam targeting is an expansion of the same playbook.
The core problem is the IoT “set it and forget it” pattern. Unlike a laptop that slows down when infected, a compromised webcam gives no user-visible signal. Devices running 2017-era CVEs have had seven years of available patches — but if firmware updates require manual download and installation, most consumers never perform them. The FBI’s guidance is straightforward: isolate devices from the rest of the network where possible, decommission end-of-life hardware, and report indicators of compromise to IC3 or the local field office. If the device can be patched, patch it now.
ConnectOnCall Breach: 914,000 Patient Health Records Exposed for Three Months
Healthcare SaaS company Phreesia notified the US Department of Health and Human Services that a breach of its telehealth subsidiary ConnectOnCall — acquired in October 2023 — exposed the protected health information of 914,138 patients. The breach ran from February 16 to May 12, 2024, nearly three months before discovery. ConnectOnCall is an after-hours physician answering and patient call-tracking platform. The exposed data included names, phone numbers, medical record numbers, dates of birth, health conditions, treatments, prescriptions, and in a subset of cases, Social Security numbers.
The combination of data types is what makes this breach particularly damaging. Health conditions, prescriptions, and treatment history paired with SSNs, phone numbers, and dates of birth gives an attacker the raw material to build high-fidelity identity profiles. That kind of profile enables targeted phishing, insurance fraud, and prescription fraud — all of which are harder to detect and remediate than a straightforward credit card compromise. The fact that no breach method was disclosed publicly makes it harder to assess, but three months of undetected access suggests either sophisticated evasion or inadequate internal monitoring of who was accessing patient communication data.
The acquisition context matters here. ConnectOnCall was a recently acquired entity — systems that haven’t been fully migrated, audited, or hardened by the parent company are exactly the kind of environment where security coverage lags. Phreesia took ConnectOnCall offline after discovery, notified federal law enforcement, and brought in external cybersecurity investigators. For patients who used the service, the practical mitigation is credit monitoring and freezing credit — and watching for targeted calls or messages leveraging health details that shouldn’t be in the hands of the caller.
Leave a Reply