惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

S
Schneier on Security
P
Proofpoint News Feed
Apple Machine Learning Research
Apple Machine Learning Research
WordPress大学
WordPress大学
博客园 - Franky
V
V2EX
爱范儿
爱范儿
J
Java Code Geeks
小众软件
小众软件
Last Week in AI
Last Week in AI
The Cloudflare Blog
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
Hugging Face - Blog
Hugging Face - Blog
T
The Blog of Author Tim Ferriss
酷 壳 – CoolShell
酷 壳 – CoolShell
The Register - Security
The Register - Security
GbyAI
GbyAI
Vercel News
Vercel News
Y
Y Combinator Blog
腾讯CDC
F
Fortinet All Blogs
I
InfoQ
N
Netflix TechBlog - Medium
B
Blog RSS Feed
D
Docker
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
量子位
博客园 - 司徒正美
阮一峰的网络日志
阮一峰的网络日志
The GitHub Blog
The GitHub Blog
Microsoft Security Blog
Microsoft Security Blog
V
Visual Studio Blog
博客园 - 三生石上(FineUI控件)
宝玉的分享
宝玉的分享
Blog — PlanetScale
Blog — PlanetScale
H
Help Net Security
云风的 BLOG
云风的 BLOG
A
About on SuperTechFans
Scott Helme
Scott Helme
T
Tor Project blog
U
Unit 42
Google Online Security Blog
Google Online Security Blog
PCI Perspectives
PCI Perspectives
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
NISL@THU
NISL@THU
D
Darknet – Hacking Tools, Hacker News & Cyber Security
aimingoo的专栏
aimingoo的专栏
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
Stack Overflow Blog
Stack Overflow Blog
Security Archives - TechRepublic
Security Archives - TechRepublic

SANS Internet Storm Center, InfoCON: green

From a VHDX File to a Remcos RAT - SANS Internet Storm Center ISC Stormcast For Tuesday, June 16th, 2026 https://isc.sans.edu/podcastdetail/9974 Evil MSI Background: BASE64 Statistical Analysis - SANS ISC ISC Stormcast For Monday, June 15th, 2026 https://isc.sans.edu/podcastdetail/9972 ISC Stormcast For Friday, June 12th, 2026 https://isc.sans.edu/podcastdetail/9970 ISC Stormcast For Thursday, June 11th, 2026 https://isc.sans.edu/podcastdetail/9968 How has use of framing protection security headers changed in the past 3 years? ISC Stormcast For Wednesday, June 10th, 2026 https://isc.sans.edu/podcastdetail/9966 Microsoft June 2026 Patch Tuesday - SANS Internet Storm Center ISC Stormcast For Tuesday, June 9th, 2026 https://isc.sans.edu/podcastdetail/9964 TeamPCP Supply Chain Campaign: Activity Through 2026-06-07 ISC Stormcast For Monday, June 8th, 2026 https://isc.sans.edu/podcastdetail/9962 The Evil MSI Background is Back! - SANS Internet Storm Center ISC Stormcast For Friday, June 5th, 2026 https://isc.sans.edu/podcastdetail/9960 Microsoft's Coreutils for Windows - SANS Internet Storm Center ISC Stormcast For Thursday, June 4th, 2026 https://isc.sans.edu/podcastdetail/9958 Continuing Scans for swagger.json - SANS Internet Storm Center ISC Stormcast For Wednesday, June 3rd, 2026 https://isc.sans.edu/podcastdetail/9956 New Wave Of Phishing Emails with SVG Files - SANS ISC ISC Stormcast For Tuesday, June 2nd, 2026 https://isc.sans.edu/podcastdetail/9954 ISC Stormcast For Monday, June 1st, 2026 https://isc.sans.edu/podcastdetail/9952 Unidentified RAT pushes NetSupport RAT - SANS ISC YARA-X 1.17.0 Release - SANS Internet Storm Center ISC Stormcast For Friday, May 29th, 2026 https://isc.sans.edu/podcastdetail/9950 Analysis of a Year of Files Uploaded to DShield Sensors ISC Stormcast For Thursday, May 28th, 2026 https://isc.sans.edu/podcastdetail/9948 Reconstructing an Akira Ransomware Kill Chain from Perimeter and Endpoint Logs ISC Stormcast For Wednesday, May 27th, 2026 https://isc.sans.edu/podcastdetail/9946 ISC Stormcast For Tuesday, May 26th, 2026 https://isc.sans.edu/podcastdetail/9944 Possible ACR Stealer From Page Impersonating Claude Microsoft Access VBA - SANS Internet Storm Center Wireshark 4.6.6 Released - SANS Internet Storm Center An Example of Stack String in High Level Language - SANS ISC Cross-Platform NPM Stealer - SANS Internet Storm Center ISC Stormcast For Friday, May 22nd, 2026 https://isc.sans.edu/podcastdetail/9942 Selective HTTP Proxying in Linux - SANS Internet Storm Center ISC Stormcast For Thursday, May 21st, 2026 https://isc.sans.edu/podcastdetail/9940 ISC Stormcast For Wednesday, May 20th, 2026 https://isc.sans.edu/podcastdetail/9938 ISC Stormcast For Tuesday, May 19th, 2026 https://isc.sans.edu/podcastdetail/9936 TeamPCP Supply Chain Campaign: Activity Through 2026-05-17 [Guest Diary] New Malware Libraries means New Signatures ISC Stormcast For Friday, May 15th, 2026 https://isc.sans.edu/podcastdetail/9934 Simple bypass of the link preview function in Outlook Junk folder ISC Stormcast For Thursday, May 14th, 2026 https://isc.sans.edu/podcastdetail/9932 [GUEST DIARY] Tearing apart website fraud to see how it works. ISC Stormcast For Wednesday, May 13th, 2026 https://isc.sans.edu/podcastdetail/9930 Proxying the Unproxyable? Sending EXE traffic to a Proxy Microsoft May 2026 Patch Tuesday - SANS Internet Storm Center ISC Stormcast For Tuesday, May 12th, 2026 https://isc.sans.edu/podcastdetail/9928 Apple Patches Everything - SANS Internet Storm Center Why we use CAPTCHAs - SANS Internet Storm Center ISC Stormcast For Monday, May 11th, 2026 https://isc.sans.edu/podcastdetail/9926 YARA-X 1.16.0 Release - SANS Internet Storm Center Another Universal Linux Local Privilege Escalation (LPE) Vulnerability: Dirty Frag ISC Stormcast For Friday, May 8th, 2026 https://isc.sans.edu/podcastdetail/9924 ISC Stormcast For Wednesday, May 6th, 2026 https://isc.sans.edu/podcastdetail/9920 Cleartext Passwords in MS Edge? In 2026? - SANS ISC SSL.com rotates their root certificate today - SANS ISC ISC Stormcast For Tuesday, May 5th, 2026 https://isc.sans.edu/podcastdetail/9918 TeamPCP Weekly Analysis: 2026-W18 (2026-04-27 through 2026-05-03) DShield Honeypot Update - SANS Internet Storm Center ISC Stormcast For Monday, May 4th, 2026 https://isc.sans.edu/podcastdetail/9916 Wireshark 4.6.5 Released - SANS Internet Storm Center Malicious Ad for Homebrew Leads to MacSync Stealer ISC Stormcast For Friday, May 1st, 2026 https://isc.sans.edu/podcastdetail/9914 ISC Stormcast For Thursday, April 30th, 2026 https://isc.sans.edu/podcastdetail/9912 Danger of Libredtail [Guest Diary] - SANS Internet Storm Center Today's Odd Web Requests - SANS Internet Storm Center ISC Stormcast For Wednesday, April 29th, 2026 https://isc.sans.edu/podcastdetail/9910 HTTP Requests with X-Vercel-Set-Bypass-Cookie Header ISC Stormcast For Tuesday, April 28th, 2026 https://isc.sans.edu/podcastdetail/9908 TeamPCP Supply Chain Campaign: Update 008 - 26-Day Pause Ends with Three Concurrent Compromises (Checkmarx KICS, Bitwarden CLI Cascade, xinference PyPI), CanisterSprawl npm Worm Identified, and Tier 1 Coverage Returns ISC Stormcast For Friday, April 24th, 2026 https://isc.sans.edu/podcastdetail/9906 Apple Patches Exploited Notification Flaw - SANS ISC ISC Stormcast For Thursday, April 23rd, 2026 https://isc.sans.edu/podcastdetail/9904 ISC Stormcast For Wednesday, April 22nd, 2026 https://isc.sans.edu/podcastdetail/9902 [Guest Diary] Beyond Cryptojacking: Telegram tdata as a Credential Harvesting Vector, Lessons from a Honeypot Incident, (Wed, Apr 22nd) A .WAV With A Payload - SANS Internet Storm Center ISC Stormcast For Tuesday, April 21st, 2026 https://isc.sans.edu/podcastdetail/9900 Handling the CVE Flood With EPSS - SANS Internet Storm Center ISC Stormcast For Monday, April 20th, 2026 https://isc.sans.edu/podcastdetail/9898 ISC Stormcast For Friday, April 17th, 2026 https://isc.sans.edu/podcastdetail/9896 Lumma Stealer infection with Sectop RAT (ArechClient2) ISC Stormcast For Thursday, April 16th, 2026 https://isc.sans.edu/podcastdetail/9894 ISC Stormcast For Wednesday, April 15th, 2026 https://isc.sans.edu/podcastdetail/9892 Scanning for AI Models - SANS Internet Storm Center Microsoft Patch Tuesday April 2026. - SANS ISC ISC Stormcast For Tuesday, April 14th, 2026 https://isc.sans.edu/podcastdetail/9890 Scans for EncystPHP Webshell - SANS Internet Storm Center ISC Stormcast For Monday, April 13th, 2026 https://isc.sans.edu/podcastdetail/9888 Obfuscated JavaScript or Nothing - SANS Internet Storm Center ISC Stormcast For Thursday, April 9th, 2026 https://isc.sans.edu/podcastdetail/9886 Number Usage in Passwords: Take Two - SANS ISC TeamPCP Supply Chain Campaign: Update 007 - Cisco Source Code Stolen via Trivy-Linked Breach, Google GTIG Tracks TeamPCP as UNC6780, and CISA KEV Deadline Arrives with No Standalone Advisory More Honeypot Fingerprinting Scans - SANS Internet Storm Center ISC Stormcast For Wednesday, April 8th, 2026 https://isc.sans.edu/podcastdetail/9884 A Little Bit Pivoting: What Web Shells are Attackers Looking for? ISC Stormcast For Tuesday, April 7th, 2026 https://isc.sans.edu/podcastdetail/9882 How often are redirects used in phishing in 2026? - SANS ISC ISC Stormcast For Monday, April 6th, 2026 https://isc.sans.edu/podcastdetail/9880
[Guest Diary] Compromised DVRs and Finding Them in the Wild
SANS Internet Storm Center · 2026-04-16 · via SANS Internet Storm Center, InfoCON: green

[This is a Guest Diary by Alec Jaffe, an ISC intern as part of the SANS.edu Bachelor's Degree in Applied Cybersecurity (BACS) program [1].

Security cameras are great at monitoring physical doors, but terrible at locking their own digital ones. Across the internet, thousands of unpatched DVRs sit publicly exposed, many guarded only by the default vendor passwords they shipped with. For threat actors, these are low-hanging fruit. This write-up details a recent two-second Telnet capture, providing a mechanical breakdown of how quickly an exposed camera system goes from online to fully compromised by bad actors.

An attack from IP address 46.6.14.135 was detected for 1.934 seconds, successfully connecting and authenticating to TCP port 23 (Telnet) for the aforementioned time period. This initial access vector (utilizing username root and password root) maps to MITRE ATT&CK techniques T1110.001 (Password Guessing) [2] and T1078 (Valid Accounts) [3]. The execution of ten sequential commands within a ~2-second session is inconsistent with manual interaction, meaning the attack is most likely automated.


Figure 1: Summary of attack from output of cowrieprocessor [4].

Further investigation of the IP address using Shodan [5] reveals that the offending device is an Airspace Digital Video Recorder, (DVR) exposing an 8-channel CCTV system in Spain. Note that the OEM of Airspace is Dahua, a Chinese manufacturer of surveillance cameras and related equipment.


Figure 2: General information & exposed services of offending device, retrieved from Shodan [5], as of 2026-04-01.


Figure 3: More exposed services of the offending DVR device, retrieved from Shodan [5], as of 2026-04-01.

Note that the cameras are exposed through the web service. It’s highly likely that an unsophisticated threat actor could gain direct access to the camera video feeds relatively easily through this by leveraging common Dahua default credentials (e.g. admin/admin or 666666/666666), which are explicitly documented in the vendor's own user manuals for legacy systems [6][7]. Additionally, note that the device’s firmware hasn’t been updated since at latest August of 2014, indicated by the Last-Modified value.


Figure 4: AbuseIPDB results [8], as of 2026-04-01.


Figure 5: First attack reported on AbuseIPDB [8], indicating the device has been compromised since 2025-11-28.

Noticing similar attacks in my honeypot logs, I prototyped a PowerShell script (assisted by Gemini Pro) to estimate the global footprint of these compromised DVRs. For reference, the script is available on my Github [9]. It pulls IPs from Shodan matching the offending device's RTSP server hash [10], then cross-references them against AbuseIPDB to check for malicious activity reported within the last 90 days, utilizing the APIs of both services.


Figure 6: sample of PowerShell script [9] output.

Due to AbuseIPDB’s free-tier API limits, I could only scan the first 1,000 of the 5,313 matching IPs identified on Shodan. Within that limited sample, 38 IPs (3.8%) were actively reported for abuse.

Extrapolating this 3.8% infection rate across all 5,313 exposed devices yields roughly 202 compromised DVRs globally. Because this script only flags devices caught and reported in the last 90 days, this 202 figure should be treated as a highly conservative baseline. The actual number of compromised devices, including dormant ones, is likely much higher.

Once authenticated, the attacker executed a reconnaissance and environmental staging script. Below is a line-by-line breakdown of the payload execution:

# enable 
# system 
# shell 
# sh

The script sequentially attempts to escape restricted, vendor-specific CLI menus to access a standard Unix shell, mapping to MITRE ATT&CK technique T1059.004 (Unix Shell) [11].

# cat /proc/mounts; /bin/busybox RRVHZ

The script reads /proc/mounts to identify writable file systems, mapping to MITRE ATT&CK technique T1082 (System Information Discovery) [12]. Execution capabilities are subsequently verified by calling a non-existent BusyBox applet (RRVHZ) and monitoring for the resulting error.

# cd /dev/shm; cat .s || cp /bin/echo .s; /bin/busybox RRVHZ

The script navigates to /dev/shm (a memory-backed filesystem used to evade disk forensics) and copies /bin/echo to a hidden file (.s). This dotfile creation maps to MITRE ATT&CK technique T1564.001 (Hidden Files and Directories) [13]. The file is immediately executed to confirm the directory lacks execution restriction, acting as an environmental staging check that maps to MITRE ATT&CK technique T1082 (System Information Discovery) [12].

# tftp; wget; /bin/busybox RRVHZ

The script checks for the presence of network utilities (tftp and wget) to determine the available mechanisms for downloading the primary malware payload, corresponding to MITRE ATT&CK technique T1105 (Ingress Tool Transfer) [14].

# dd bs=52 count=1 if=.s || cat .s || while read i; do echo $i; done < .s

The script tests three redundant file-reading mechanisms against the hidden .s test file, mapping to MITRE ATT&CK technique T1564.001 (Hidden Files and Directories) [13]. Specifically, dd bs=52 count=1 attempts to read the first 52 bytes, which corresponds to the standard size of a 32-bit ELF file header. This acts as an environmental staging check, corresponding to MITRE ATT&CK technique T1082 (System Information Discovery) [12], verifying the system's ability to read and process dropped malware binaries.

# /bin/busybox RRVHZ # rm .s; exit

Mapping to MITRE T1070.004 (File Deletion) [15], the script removes the temporary .s file to avoid leaving forensic artifacts before terminating the staging session.

To protect against this specific attack vector, defenders should implement the following baseline configurations:

  • Restrict Telnet access via a local firewall or VPN to a strictly allowed IP list, preventing exposure to the public internet
  • Enforce strong password policies and change default credentials for all service accounts
  • Disallow remote root login over Telnet

The set-and-forget lifecycle of physical security devices is actively fueling digital insecurity. When a DVR is left exposed and unmanaged, it ceases to be just a camera system and morphs into a free server for malicious actors. The ~2-second compromise documented here is a stark reminder: if you aren't managing your edge devices, someone else already is.

Methodology & Tooling Note: The initial triage and data collection for this report were conducted using cowrieprocessor, Shodan, and AbuseIPDB. Gemini Pro [16] was utilized as a supplemental tool to assist with the mechanical breakdown of the staging script and rapid prototyping of the PowerShell script. All AI-assisted analytical conclusions were reviewed and verified by the author to ensure technical accuracy and contextual relevance.

[1] https://www.sans.edu/cyber-security-programs/bachelors-degree/
[2] https://attack.mitre.org/techniques/T1110/001/
[3] https://attack.mitre.org/techniques/T1078/
[4] https://github.com/jslagrew/cowrieprocessor
[5] https://www.shodan.io/host/46.6.14.135
[6] https://dahuawiki.com/images/Files/QSG/NVR_Series_Quick_Start_Guide_V4.0.0.pdf
[7] https://www.a2t.ro/source/CW-HCVR5108H-V2-Manual.pdf
[8] https://www.abuseipdb.com/check/46.6.14.135
[9] https://github.com/alecjaffe/shodan_abuseipdb_xref
[10] https://www.shodan.io/search?query=hash%3A1321444670
[11] https://attack.mitre.org/techniques/T1059/004/
[12] https://attack.mitre.org/techniques/T1082/
[13] https://attack.mitre.org/techniques/T1564/001/
[14] https://attack.mitre.org/techniques/T1105/
[15] https://attack.mitre.org/techniques/T1070/004/
[16] https://gemini.google.com

--
Jesse La Grew
Senior Handler