South Korean law enforcement has arrested four suspects linked to the breach of approximately 120 000 IP cameras installed in private homes and commercial spaces — including karaoke lounges, pilates studios, and a gynecology clinic. Two of the hackers sold sexually explicit footage from the cameras through a foreign adult website. In this post, we explain what IP cameras are, and where their vulnerabilities lie. We also dive into the details of the South Korea incident and share practical advice on how to avoid becoming a target for attackers hunting for intimate video content.

How do IP cameras work?

An IP camera is a video camera connected to the internet via the Internet Protocol (IP), which lets you view its feed remotely on a smartphone or computer. Unlike traditional CCTV surveillance systems, these cameras don’t require a local surveillance hub — like you see in the movies — or even a dedicated computer to be plugged into. An IP camera streams video directly in real time to any device that connects to it over the internet. Most of today’s IP camera manufacturers also offer optional cloud storage plans, letting you access recorded footage from anywhere in the world.

In recent years, IP cameras have surged in popularity to become ubiquitous, serving a wide range of purposes — from monitoring kids and pets at home to securing warehouses, offices, short-term rental apartments (often illegally), and small businesses. Basic models can be picked up online for as little as US$25–40.

You can find a Full HD IP camera on an online marketplace for under US$25 — affordable prices have made them incredibly popular for both home and small business use

One of the defining features of IP cameras is that they’re originally designed for remote access. The camera connects to the internet and silently accepts incoming connections — ready to stream video to anyone who knows its address and has the password. And this leads to two common problems with these devices.

1. Default passwords. IP camera owners often keep the simple default usernames and passwords that come preconfigured on the device.
2. Vulnerabilities in outdated software. Software updates for cameras often require manual intervention: you need to log in to the administration interface, check for an update, and install it yourself. Many users simply skip this altogether. Worse, updates might not even exist — many camera vendors ignore security and drop support right after the sale.

What happened in South Korea?

Let’s rewind to what unfolded this fall in South Korea. Law-enforcement authorities reported a breach of roughly 120 000 IP cameras, and the arrest of four suspects in connection with the attacks. Here’s what we know about each of them.

• Suspect 1, unemployed, hacked approximately 63 000 IP cameras, producing and later selling 545 sexually explicit videos for a total of 35 million South Korean won, or just under US$24 000.
• Suspect 2, an office worker, compromised around 70 000 IP cameras and sold 648 illicit sexual videos for 18 million won (about US$12 000).
• Suspect 3, self-employed, hacked 15 000 IP cameras and created illegal content, including footage involving minors. So far, there’s no information suggesting this individual sold any material.
• Suspect 4, an office worker, appears to have breached only 136 IP cameras, and isn’t accused of producing or selling illegal content.

The astute reader may have noticed the numbers don’t quite add up — the figures above totaling well over 120 000. South Korean law enforcement hasn’t provided a clear explanation for this discrepancy. Journalists speculate that some of the devices may have been compromised by multiple attackers.

The investigation has revealed that only two of the accused actually sold the sexual content they’d stolen. However, the scale of their operation is staggering. Last year, the website hosting voyeurism and sexual exploitation content — which both perpetrators used to sell their videos — received 62% of its uploads from just these two individuals. In essence, this video enthusiast duo supplied the majority of the platform’s illegal content. It’s also been reported that three buyers of these videos were detained.

South Korean investigators were able to identify 58 specific locations of the hacked cameras. They’ve notified the victims and provided guidance on changing the passwords to secure their IP cameras. This suggests — although the investigators haven’t disclosed any details about the method of compromise — that the attackers used brute-forcing to crack the cameras’ simple passwords.

Another possibility is that the camera owners, as is often the case, simply never changed the default usernames and passwords. These default credentials are frequently widely known, so it’s entirely plausible that to gain access the attackers only needed to know the camera’s IP address and try a handful of common username and password combinations.

How to avoid becoming a victim of voyeur hackers

The takeaways from this whole South Korean dorama drama are straight from our playbook:

• Always replace the factory-set credentials with your own logins and passwords.
• Never use weak or common passwords — even for seemingly harmless accounts or gadgets. You don’t have to work at the Louvre to be a target. You never know which credentials attackers will try to crack, or where that initial breach might lead them.
• Always set unique passwords. If you reuse passwords, a single data leak from one service can put all your other accounts at risk.

These rules are universal: they apply just as much to your social media and banking accounts as they do to your robot vacuums, IP cameras, and every other smart device in your home.

To keep all those unique passwords organized without losing your mind, we strongly recommend a reliable password manager. Kaspersky Password Manager can both store all your credentials securely and generate truly random, complex, and uncrackable passwords for you. With it, you can be confident that no one will guess the passwords to your accounts or devices. Plus, it helps you generate one-time codes for two-factor authentication, save and autofill passkeys, and sync your sensitive data — not just logins and passwords, but also bank card details, documents, and even private photos — in encrypted form across all your devices.

Wondering if a hidden camera is filming you? Read more in our posts:

• Webcam stalking: fact or fiction?
• Airbnb security: tips for safe travel
• Four ways to find spy cameras
• Lumos: IoT device detection system
• IP camera security: the bad, the ugly, and the evil

Kaspersky official blog – ​Read More

Security teams face thousands of alerts every single day. Many of them don’t clearly show whether there’s a true threat behind them. Investigation slows down, analysts lose time on low-value signals, and important findings are often buried in noise. 

AI Sigma Rules change this routine. With this new capability in ANY.RUN’s Interactive Sandbox, SOC teams can not only see the source of malicious activity in the standard Sigma format but also use the generated rules across their entire environment. Every confirmed threat now actively improves how your SOC detects the next one and speeds up response. 

The Challenge: From Alert Overload to Actionable Knowledge 

Most SOCs struggle to turn threats they identify into reusable, scalable detection logic. The obstacles pile up quickly: 

• Hard to share knowledge: Insights often stay with the analyst who handled the case instead of becoming team-wide detection logic. 

• Manual rule creation: Turning attack behavior into a working rule takes time, testing, and trial-and-error. 

• Dependency on a few experts: Only senior engineers usually know how to write or adapt rules for each platform. 

• Slow improvement cycles: Even when analysts uncover something important, converting it into broader protection takes too long. 

All of this results in the same issue: SOCs fix individual incidents, but the lessons don’t consistently carry over into stronger detection coverage. 

How ANY.RUN Solves It with AI Sigma Rules 

AI Sigma Rules automate one of the slowest and most error-prone parts of detection engineering: turning real attack behavior into usable detection logic.  

Instead of manually translating sandbox findings into rules, teams receive a ready-to-review Sigma rule built directly from the recorded malicious activity. 

Each rule is generated from what actually happened during execution; the same events, processes, and fields analysts already trust during investigation. As a result, the detection logic stays closely tied to real attacker behavior, not assumptions or static indicators. 

With AI Sigma Rules, SOC teams can: 

• Understand the root cause of detections by seeing the exact events and fields that triggered them. 

• Leverage industry-standard threat descriptions for seamless integration with security workflows. 

• Deploy rules directly to SIEM, SOC, or EDR tools to strengthen defenses. 

• Accelerate incident response by reducing mean time to resolve (MTTR). 

For security leaders, this changes the value of every investigation. A confirmed detection no longer ends with a closed alert but becomes a chance to strengthen the whole infrastructure. 

How AI Sigma Rules Work 

Let’s take a closer look at how you can quickly get an actionable Sigma rule inside ANY.RUN’s Interactive Sandbox. 

1. Submit a suspicious file or URL 
Run the sample in ANY.RUN’s Interactive Sandbox to observe its behavior in real time. 

2. Wait for a detection to trigger 
As soon as malicious activity is confirmed, the sandbox highlights the event and prepares the data behind it. 

3. Open the AI Sigma Rules panel 
Inside the detection view, you’ll see a generated Sigma rule that reflects the exact logic behind the alert, including key event fields and matching conditions. 

4. Copy or export the rule for deployment 
Use it as a correlation rule, hunting query, or alert in your SIEM, EDR, or other detection layers. From there, analysts can fine-tune and activate the rule in minutes. 

This creates a short, repeatable path that lets SOCs like yours detect this malicious pattern every time it pops up. 

How AI Sigma Rules Benefit SOC Teams 

AI Sigma Rules change how SOC teams scale what they learn from real attacks. Here’s how that impact shows up in day-to-day operations:  

• Reduce MTTR: Cut the time from first detection to live rule by giving analysts a ready Sigma rule instead of a blank page. Minimize the investigation and handover time because the logic behind the alert is already clear and reviewable. 

• Increase detection coverage: Expand protection by turning every important detection into a reusable Sigma rule that can run across your SIEM, EDR, and other tools. Close more gaps, faster, with behavior-based rules tied to real attacks your team has seen. 

• Boost analyst throughput: Free analysts from low‑value rule drafting by auto generating the first version of each rule. Let them focus on validation, tuning, and decisions rather than copy paste work. Result: less routine work, fewer errors, higher decision speed. 

• Strengthen MSSP offerings: Scale one investigation into protection for many tenants by reusing the same Sigma rules. Show customers and auditors clear, transparent logic that proves how your SOC turns incidents into durable detections. 

• Raise Enterprise SOC maturity: Unify detection language across Tier 1, 2, and 3 with a shared Sigma format. Make it easier to share rules, onboard new analysts, and review what really protects the business, not just what generated tickets. 

Try AI Sigma Rules in Your SOC 

AI Sigma Rules are now part of the ANY.RUN Sandbox Enterprise plan, giving teams a faster way to turn real threats into live detection logic. 

Want to see how much time it can save your analysts?  

Request a demo and walk through the workflow with our experts. 

Conclusion 

With AI Sigma Rules, SOCs no longer lose valuable insights to case notes or fragmented tooling. Every confirmed threat becomes an opportunity to strengthen the entire detection stack. As attackers evolve and environments grow more complex, this ability to turn daily investigations into continuous improvement becomes a real advantage. ANY.RUN brings that capability directly into the analyst workflow, making better detection not just possible, but repeatable. 

About ANY.RUN 

ANY.RUN, a leading provider of interactive malware analysis and threat intelligence solutions, helps security teams investigate threats faster and make more confident decisions. Used by over 15,000 organizations and 500,000 analystsworldwide, the service combines real-time sandbox analysis with actionable threat intelligence to support daily SOC operations. 

With features like interactive malware execution, automated detections, threat intelligence lookup, and now AI Sigma Rules, ANY.RUN enables teams to move from investigation to prevention with greater speed and clarity. It supports Windows, Linux, and Android environments and integrates seamlessly into modern security stacks. 

The post AI Sigma Rules: Scale Threat Detection, Drive Down MTTR  appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More

News outlets recently reported that a threat actor was spreading an infostealer through free 3D model files for the Blender software. This is troubling enough on its own, but it highlights an even more serious problem: the business threat posed by free open source programs, uncontrolled by corporate infosec teams. And the danger comes not from vulnerabilities in the software, but from its very own standard features.

Why Blender and 3D model marketplaces pose a risk

Blender is a 3D graphics and animation suite used by visualization professionals across various industries. The software is free and open-source, and offers extensive functionality. Among Blender’s capabilities is support for executing Python scripts, which are used to automate tasks and add new features.

The package allows users to import external files from specialized marketplaces like CGTrader or Sketchfab. These platforms host both paid and free 3D models by artists and studios. Any of these model files potentially contain Python scripts.

This creates a concerning scenario: marketplaces where files can be uploaded by any user and may not be scanned for malicious content, combined with software that has an Auto Run Python Scripts feature. It allows files to automatically execute embedded Python scripts immediately upon opening — essentially running arbitrary code on the user’s computer in unattended mode.

How the StealC V2 infostealer spread via Blender files

The attackers posted free 3D models with the .blend file name extension on the popular CGTrader platform. These files contained a malicious Python script. If the user had the Auto Run Python Scripts feature enabled, downloading and opening the file in Blender triggered the script. It then established a connection to a remote server and downloaded a malware loader from the Cloudflare Workers domain.

The loader executed a PowerShell script, which in turn downloaded additional malicious payloads from the attackers’ servers. Ultimately, the victim’s computer was infected with the StealC infostealer, enabling the attackers to:

• Extract data from over 23 browsers.
• Harvest information from more than 100 browser extensions and 15 crypto wallet applications.
• Steal data from Telegram, Discord, Tox, Pidgin, ProtonVPN, OpenVPN, and email clients like Thunderbird.
• Use a User Account Control (UAC) bypass.

The danger of unmonitored work tools

The problem isn’t Blender itself — threat actors will inevitably try to exploit automation features in any popular software. Most end-users don’t consider the risks of enabling common automation features, nor do they typically dive deep into how these features work or how they could be exploited.

The core issue is that security teams aren’t always familiar with the capabilities of specialized tools used by various departments. They simply don’t account for this vector in their threat models.

How to avoid becoming a victim

If your company uses Blender, the first step is to disable the automatic execution of Python scripts (Auto Run Python Scripts feature). Here’s how to do it according to official documentation.

How to disable the automatic execution of Python scripts in Blender. Source

Furthermore, to prevent the sudden spread of threats via work tools, we recommend that corporate security teams:

• Prohibit the use of tools and extensions that haven’t been approved by the security team.
• Thoroughly vet permitted software, and assess risks before implementing any new services or platforms.
• Regularly train employees to recognize the risks associated with installing unknown software and using dangerous features. You can automate security awareness training with the Kaspersky Automated Security Awareness Platform.
• Enforce the use of secure configurations for all work tools.
• Protect all company-issued devices with modern security solutions.

Kaspersky official blog – ​Read More

Cyble Vulnerability Intelligence researchers tracked 591 vulnerabilities in the last week, and more than 30 already have a publicly available Proof-of-Concept (PoC), significantly increasing the likelihood of real-world attacks on those vulnerabilities. 

A total of 69 vulnerabilities were rated as critical under the CVSS v3.1 scoring system, while 26 received a critical severity rating based on the newer CVSS v4.0 scoring system. 

Here are some of the more critical IT and ICS vulnerabilities flagged by Cyble in recent reports to clients. 

The Week’s Top IT Vulnerabilities 

CVE-2025-60854 is a critical command injection vulnerability found in the D-Link R15 (AX1500) router firmware 1.20.01 and below. The flaw has a severity score of 9.8 and requires no authentication or user interaction to exploit, making it highly dangerous for affected systems. 

CISA added five vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog in the last week: 

CVE-2025-55182 is a critical pre-authentication remote code execution (RCE) vulnerability in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0, including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerability has been reportedly targeted by China-linked threat groups. 

CVE-2021-26829 is a cross-site scripting (XSS) vulnerability affecting OpenPLC ScadaBR that was targeted in recent attacks by the pro-Russian hacktivist group TwoNet on a honeypot simulating a water treatment facility, where the threat actors used default credentials for initial access, exploited the flaw to deface the HMI login page, and disabled logs and alarms in a little more than a day. 

Five days after adding CVE-2021-26829 to the KEV catalog, CISA added CVE-2021-26828, a high-severity Unrestricted Upload of File with Dangerous Type vulnerability affecting OpenPLC ScadaBR through 0.9.1 on Linux and through 1.12.4 on Windows. The flaw could allow remote authenticated users to upload and execute arbitrary JSP files via view_edit.shtm. 

CISA also added two Android vulnerabilities to the KEV catalog, both high-severity Android framework vulnerabilities. CVE-2025-48572 is a Privilege Escalation vulnerability, while CVE-2025-48633 is an Information Disclosure vulnerability. Neither vulnerability has been added to the National Vulnerability Database (NVD) yet. 

Notable vulnerabilities discussed in open-source communities included: 

CVE-2025-13223, a type confusion vulnerability in Google Chrome‘s V8 JavaScript and WebAssembly engine, allowing remote attackers to exploit heap corruption via a crafted HTML page, potentially leading to arbitrary code execution. 

CVE-2025-11001,  a directory traversal remote code execution vulnerability in 7-Zip, stemming from improper handling of symbolic links in ZIP files, potentially allowing attackers to escape extraction directories and execute arbitrary code in the context of a service account upon user interaction with crafted archives.  

CVE-2025-58034, an OS command injection vulnerability in Fortinet FortiWeb web application firewalls. 

CVE-2025-41115, a critical privilege escalation and user impersonation vulnerability in Grafana Enterprise’s SCIM provisioning feature, which could allow attackers to create accounts impersonating privileged users, modify dashboards, access databases, alter alerts, and pivot to connected systems. 

CVE-2025-59366, a critical authentication bypass vulnerability in ASUS AiCloud routers, potentially allowing unauthorized execution of specific router functions via path traversal and OS command injection. 

Vulnerabilities Under Discussion on the Dark Web 

Cyble dark web researchers observed multiple threat actors (TA) on dark web and cybercrime forums discussing various exploits and weaponizing multiple vulnerabilities, including: 

CVE-2025-60709: A Windows Common Log File System (CLFS) Driver elevation of privilege vulnerability that could allow an authorized attacker to elevate privileges locally through an out-of-bounds read flaw. The specific flaw exists within the clfs.sys driver and results from improper validation of user-supplied data, which can lead to a read past the end of an allocated memory region.  

Local attackers can disclose sensitive information on affected Microsoft Windows installations and potentially exploit this vulnerability in conjunction with other vulnerabilities to execute arbitrary code in the context of the kernel, resulting in privilege escalation. 

CVE-2025-5931: A high-severity privilege escalation vulnerability in the Dokan Pro WordPress plugin, which stems from improper user identity validation during the staff password reset procedure, allowing attackers with vendor-level access to escalate their privileges to staff member level and then change arbitrary user passwords, including those of administrators, potentially leading to a full account takeover. 

CVE-2025-64446: A critical unauthenticated path traversal vulnerability in Fortinet FortiWeb WAF that could allow full administrative compromise of affected appliances via crafted HTTP(S) requests. The flaw is a relative path traversal (sometimes called “path confusion”) issue in the FortiWeb GUI / management API that could let an attacker reach an internal CGI handler and execute privileged operations without valid credentials. In practice, this becomes an authentication bypass that enables remote admin‑level control and, effectively, remote code execution on the WAF. 

ICS Vulnerabilities 

In addition to the OpenPLC ScadaBR vulnerabilities noted by CISA, Cyble threat intelligence researchers flagged four additional industrial control system (ICS) vulnerabilities in recent reports to clients. 

CVE-2024-3871 is a critical Stack-Based Buffer Overflow vulnerability affecting Emerson Appleton UPSMON-PRO, versions 2.6 and prior. Successful exploitation of the vulnerability could allow remote attackers to execute arbitrary code on affected installations of Appleton UPSMON-PRO. 

CVE-2025-13483 is a Missing Authentication for Critical Function vulnerability affecting SiRcom SMART Alert (SiSA), version 3.0.48. Successful exploitation of the vulnerability could enable an attacker to remotely activate or manipulate emergency sirens. 

CVE-2025-13658 is a Command Injection vulnerability affecting Longwatch versions 6.309 to 6.334. Successful exploitation could allow an unauthenticated attacker to gain remote code execution with elevated privileges. 

CVE-2025-13510 is a Missing Authentication for Critical Function vulnerability affecting Iskra iHUB and iHUB Lite, all versions. Successful exploitation could allow a remote attacker to reconfigure devices, update firmware, and manipulate connected systems without any credentials. 

Conclusion 

The wide range of critical and exploited vulnerabilities in this week’s report highlights the breadth of threats faced by security teams, who must respond with rapid, well-targeted actions to successfully defend IT and critical infrastructure. A risk-based vulnerability management program should be at the heart of those defensive efforts.  

Other cybersecurity best practices that can help guard against a wide range of threats include segmentation of critical assets; removing or protecting web-facing assets; Zero-Trust access principles; ransomware-resistant backups; hardened endpoints, infrastructure, and configurations; network, endpoint, and cloud monitoring; and well-rehearsed incident response plans.  

Cyble’s comprehensive attack surface management solutions can help by scanning network and cloud assets for exposures and prioritizing fixes, in addition to monitoring for leaked credentials and other early warning signs of major cyberattacks.  

The post The Week in Vulnerabilities: Cyble Urges D-Link, React Server Fixes appeared first on Cyble.

Cyble – ​Read More