A particular focus was on Hikvision and Xiongmai devices that have Telnet access. The criminals use the open-source tool Ingram to detect vulnerabilities in the web cameras. With Medusa, the attackers use another open-source tool to circumvent authentication.
The attacks targeted webcams and DVRs with TCP ports 23, 26, 554, 2323, 567, 5523, 8080, 9530, and 56575 open for Internet access.
The campaign is the successor to two large-scale series of attacks: one that targeted a US Department of Defense server in 2023, as Bleeping Computer reported, and another that targeted more than a hundred companies from North America, Europe, and South America whose DrayTek Vigor VPN routers were infected with HiatusRAT to create a covert proxy network.