Risky Bulletin: Iranian hackers are scanning for security cameras to aid missile strikes

Written by

Catalin Cimpanu

News Editor

This newsletter is brought to you by Okta.  You can subscribe to an audio version of this newsletter as a podcast by searching for "Risky Business" in your podcatcher or subscribing via this RSS feed.

A sudden spike in scanning activity for internet-exposed security cameras has been recorded in Israel and countries across the Middle East. The activity has been traced back to a hacking group with ties to the Iranian government.

The scans spiked on Monday, when Iran launched missile and drone strikes in response to an Israeli and US military operation that bombed and killed its political leadership over the weekend.

Security firm Check Point says the scans targeted Hikvision and Dahua security cameras and included attempts to exploit old vulnerabilities. Scans targeted Israel, Qatar, Bahrain, Kuwait, the UAE, and Cyprus, the exact same countries where Iran carried out kinetic strikes.

Experts believe the camera hacks were meant to gain access to street level imagery across desired targeting areas, assess impact damage, and collect evidence of a successful attack to use in military reports and propaganda videos.

There was also a similar spike in camera scanning in mid-January, during the anti-government protests in Iran, when the regime was first expecting the Israeli and US attack to happen.

The idea of hacking cameras in "enemy" territory is not novel and similar tactics have now been used across several recent military engagements, which likely means it is here to stay as a permanent battlefield tactic—unless real advances are made in securing these products, which I do not expect.

Iranian hackers also hacked cameras during the Twelve-Day War in June of last year, when the US and Israel bombed Iranian targets and its nuclear program facilities. Hackers took over cameras in Israel to record footage of strikes and assess impact before the conflict died out.

Before that, Israel's cybersecurity agency also warned citizens to secure their security cameras in October 2023, a week after the October 7 terrorist attack. At the time, Hamas-linked hackers were breaching Israeli security cameras in the same way—to assess the accuracy of their missiles and then publish the footage of successful hits on social media.

But camera hacking saw its peak during Russia's invasion of Ukraine. For four years now, Russian cyber units have been hacking security cameras in Ukraine for the exact same reasons—reconnaisance to detect exact location of targets and then assess impact damage and decide if follow up strikes are needed.

Ukraine's security service reported cases where Russian hackers changed camera angles to get the best view and then connected the camera's stream to YouTube for easier viewing.

Russian cyber units also hacked security cameras across Europe, this time to spy on logistic routes and see what kind of military equipment Ukrainian troops were getting from their allies.

Both Israel and Ukraine have been telling citizens for years to secure their cameras by updating their firmware, using strong passwords, or just turning them off just to be on the safe side.

Iran itself has learned this exact same lesson the hard way.

According to the Financial Times, Israel had hacked cameras across its capital Tehran and collected streams in a data center for years. It then analyzed the data to identify centers of intelligence and create daily patterns for high-value targets.

This information was used over the weekend to track down the location of Iran's leadership and carry out precision strikes that ended up killing over 50 high-ranking officials, including Iranian leader Ali Khamenei.

Security cameras and smart IoT devices have long been the butt of many infosec jokes about the sorry state of their firmware and overall security. As things are slowly shaping up, that insecurity is now turning into a real national security risk, something that many governments may not be willing to put up to going forward.

Regulatory and commercial crackdowns against some of the garbage that passes as security cameras should follow, at least if you're a respectable government that's actually paying attention to what's happening in the real world these days.

Risky Business Podcasts

The main Risky Business podcast is now on YouTube with video versions of our recent episodes. Below is our latest weekly show with Pat and Adam at the helm!

Breaches, hacks, and security incidents

YGG torrent portal hacked, data leaked: Hackers have breached and leaked the data of French torrent portal YGG. The leaked data includes the site's source code, databases, server configs and passwords, and 6.6 million user records. The hackers said they attacked the site after its admins rolled out a paid mode that limited free users to five torrents per day. They also accused the site for storing card details for 54,000 users and launching DDoS attacks against rival torrent sites.

AkzoNobel ransomware attack: Dutch paint company AkzoNobel AkzoNobel has been hit by the Anubis ransomware crew. The incident impacted the company's US operations. [BleepinComputer]

Ngong Ping 360 got hacked and is getting extorted: A threat actor has breached and is extorting the company that runs the cable car ride service across Hong Kong. Hackers are demanding a ransom from Ngong Ping 360, threatening to release internal files and customer data. The company said the hack didn't impact the safety of its cable car service. [On.cc] [h/t Valéry Rieß-Marchive]

HungerRush hacked and extorted: Hackers have breached and are extorting HungerRush, a PoS platform for small restaurants. The attackers sent emails to HungerRush customers threatening to release their personal data if HungerRush doesn't pay. The entry point for the hack is believed to be a compromised employee account. The company confirmed the hack and said that no card data was exposed. [BleepingComputer]

General tech and privacy

TikTok won't roll out encrypted DMs: TikTok will not introduce encrypted private messaging. The company told the BBC that encrypted DMs will make its users less secure because it wouldn't be able to scan messages for malicious content. Platforms such as Facebook, Instagram, Messenger, and Telegram have introduced encrypted DMs and are now facing pressure from authorities.

Microsoft tries to ban a naughty word: Microsoft banned users from using the word Microslop in the official Copilot Discord channel, to the point it had to lock the channel due to the intense backlash. Good luck with your Streisand effect, Microslop! [Windows Latest] [h/t Kevin Beaumont]

Firefox right-click menu customization: Joshua Rogers has published a good tutorial on how to customize your Firefox right-click menu and remove all the bloat you don't like.

Google rolls out Play Store changes: Google is not waiting for its settlement with Epic Games to go through the courts and has already announced a plan to reduce Play Store fees, which will go down to 20% and gradually lower, compared to the 30% fees app developers have to deal with today.

Government, politics, and policy

US federal agencies are dumping Anthropic: Multiple US federal agencies have stopped using Anthropic AI agents after the company was declared a supply chain risk by the Pentagon. The US State Department, Health and Human Services, and the General Services Administration stopped using it earlier in the week. NASA, the OPM, the US Treasury, and the International Trade Administration also stopped using it and are also searching for alternatives. Defence contractors are also expected to drop the tool to avoid repercussions. The Pentagon added Anthropic to its supply chain risk list after the company didn't want its Claude AI to be used for domestic surveillance and autonomous weapons. [FedScoop]

Plankey leaves Coast Guard role: Sean Plankey is leaving his role as advisor for the US Coast Guard, but he will still remain the White House's nominee for the role of CISA Director. [NextGov]

CISA CIO leaves: CISA chief information officer Robert Costello has left the agency after five years on the job. He is also leaving government service after 18 years at the DHS. CISA leadership had been trying to oust Costello from his role for several weeks. He received a forced reassignment order to another agency last week. [CyberScoop]

GAO asked to investigate TEMPEST attacks: Two US lawmakers have asked GAO to investigate if US networks and equipment is still vulnerable to side-channel leaks and attacks like TEMPEST. [WIRED // PDF letter]

Mexico mandates SIM registration to real IDs: All Mexican citizens must register their SIM cards and associate it with a government ID by the end of June. The new requirement applies to subscription, prepay, and eSIMs alike. It also applies to foreigners using Mexican SIMs. SIM cards must be associated with a valid passport, ID, or CURP number. [Mexperience] [h/t Deus4mir4]

China's new five-year plan focuses on AI: The Chinese government has published the country's next five-year plan, which has AI, chips, space, nuclear, and quantum technologies at its center. [Reuters]

Israel bombs Iran's cyber headquarters: Israel's army claims it bombed Iran's Cyber and Electronic Warfare headquarters in its capital Tehran. The building was one of ten major targets hit in an operation by the IDF on Wednesday. Iranian state media has not confirmed the attacks. [Politico]

Iran threatens to arrest people who connect to the internet: Iranian authorities have threatened to arrest citizens who connect to the internet in defiance to a communications blackout imposed by the state. Iranian police sent SMS warnings to all citizens earlier this week. The government shut down the country's external internet connections on Saturday after Israel and the US began a bombing campaign that killed multiple high-ranking officials. Some Iranians are still going online using Starlink dishes smuggled into the country. [France 24]

Sponsor section

In this Risky Business sponsor interview, Casey Ellis chats to Harish Peri, SVP and general manager for AI security at Okta, a cloud-based identity and access management company. The pair chat about the fact that AI is forcing enterprises to relearn the basics around identity security, and how Okta for AI Agents can help.

Arrests, cybercrime, and threat intel

LeakBase takedown: US and European law enforcement have seized and taken down the LeakBase hacking forum. The site launched in 2021 and specialized in the sale of credentials stolen via infostealers. It was available for English-speaking users and had more than 142,000 registered members. Authorities raided more than 100 locations worldwide and arrested 13 suspects. [Europol // Dutch Police // US DOJ]

Tycoon 2FA takedown: Law enforcement agencies and multiple cybersecurity firms have disrupted the activity of the Tycoon 2FA phishing service. The operation took control of more than 330 domains powering Tycoon's platform. The service launched in 2023 and was allowing threat actors to easily build and deploy phishing pages impersonating various online services. Tycoon was one of the first phishing platforms that successfully automated the process of intercepting multi-factor authentication codes. Proofpoint says Tycoon was the most active MFA-capable phishing toolkit in its telemetry. [Europol // Ukraine Cyber Police // Microsoft // Proofpoint // Cloudflare // Trend Micro // Intel471]

Taiwan indicts scammers: Taiwan has indicted 62 suspects for their involvement in cyber scam operations. The suspects ran 13 companies associated with the Prince Group, a major cyber scam compound operator in Cambodia. The suspects stand accused of laundering close to $340 million in stolen assets. The US and the UK have imposed sanctions on the Prince Group and its founder Chen Zhi. Zhi was arrested in Cambodia and extradited to China last month. [The Record]

Phobos admin pleads guilty: A Russian national has pleaded guilty in the US for running the Phobos ransomware operation. Evgenii Ptitsyn was known online under the aliases of "derxan" and "zimmermanx." He built and advertised the Phobos ransomware platform and is estimated to have made more than $39 million from ransoms. He was arrested and extradited from South Korea in November of 2024. Ptitsyn faces a maximum penalty of 20 years in prison for wire fraud.

Malvertising surpasses email delivery: Online ads surpassed email as the main malware delivery method last year. Malicious ads accounted for 60% of all observed malware campaigns. According to The Media Trust, AI has played a major role due to the ease of generating deepfake ads and for precision-targeting the most vulnerable consumers. [Business Insider]

Malicious PHP packages: Socket Security has found three malicious PHP packages on the Packagist repo that deploy a remote access trojan inside compromised projects.

Malicious Chromium extension steals chatbot history: Several security firms have spotted this already, but now Microsoft's security team has also found a Chrome/Chromium extension posing as an AI tool but stealing prompt histories from public AI chat platforms like ChatGPT and DeepSeek.

Major n8n exposure: More than 100,000 n8n AI automation servers are exposed online and lacking a critical security patch. A vulnerability (CVE-2026-27495) disclosed last week can allow attackers to escape the server's sandbox. In the default config, this can allow "full compromise of the n8n host."

Qilin was the 2025 ransomware king: The Qilin ransomware group was the most active ransomware operation last year, accounting for 13% of all attacks. Overall, ransomware attacks saw a 50% increase over the previous year, reaching a new all-time high. According to the NCC Group's yearly threat report, North America remained the top target. Law enforcement operations were successful in temporarily disrupting threat actor activity, but groups would often resume operations under new platforms or names.

LastPass warning: LastPass has warned customers about a phishing campaign that started this month that is impersonating its tech support staff to steal master passwords.

Iran war hacktivist activity: Radware and Sophos look at the hacktivist activity that's emanating right now from the US-Israel-Iran military conflict. It's not particularly original or of notice. As of now, 12 groups have made claims of 149 alleged attacks in support of the three sides.

KodexGlobal accounts for sale: A threat actor is selling access to law enforcement accounts on KodexGlobal. The platform is used by law enforcement to submit subpoenas and emergency data requests to tech companies. The accounts are being sold for $2,000. These accounts are typically used to retrieve extremely sensitive data about targets to be used for doxing, phishing, or social engineering.

Malware technical reports

OCRFix botnet: The Derp research team looks at new OCRFix botnet samples that hide their C&C servers on the BNB blockchain.

BoryptGrab: Trend Micro has discovered a new infostealer named BoryptGrab. The malware is distributed through a large number of public Github repositories that purport to offer software tools for free.

Sponsor section

In this sponsored product demo, Okta's Harish Chakravarthy and Brett Winterford walk through four new features Okta introduced in the wake of the emergence of modern attacker techniques targeting identity providers. These features will help you to prevent or limit the damage to your environment if an attacker manages to compromise a session token. If you're an Okta shop, you should absolutely watch this video.

APTs, cyber-espionage, and info-ops

Dust Specter APT targets Iraq: Zscaler says a suspected Iranian APT named Dust Specter is targeting Iraqi government officials with new malware such as SPLITDROP, TWINTASK, TWINTALK, and GHOSTFORM.

Seedworm: Iranian APT group Seedworm has been spotted active again. According to Broadcom, the group was spotted inside a US bank, airport, non-profit, and the Israeli branch of a US software company.

MuddyWater: The Ctrl-Alt-Intel team has dumped the content of misconfigured command and control servers linked to the MuddyWater Iranian APT, aka Static Kitten, Mango Sandstorm, Earth Vetala, Seedworm, and TA450. Open directories rock!

UAT-9244 (Famous Sparrow): A suspected Chinese APT group has breached telco infrastructure all over South America. The group is known as UAT-9244 and Famous Sparrow. Recent attacks employed new malware strains, such as the BruteEntry brute-forcing tool, the new TernDoor Windows backdoor, and the PeerTime P2P Linux backdoor.

Confucius: Qihoo 360 looks at new campaigns from the Confucius APT. The campaign targeted multiple Southeast Asian countries with a Python-based backdoor named AnonDoor.

Doppelgänger/RRN: The DomainTools security team has published a comprehensive report on the current 2026 infrastructure of Russian disinformation group Doppelgänger (aka RRN) and their latest operational priorities.

Vulnerabilities, security research, and bug bounty

90 zero-days exploited last year: Threat actors exploited 90 different zero-day vulnerabilities last year, according to data gathered by Google's Mandiant division. Half of the zero-days impacted desktop operating systems (27%) and edge networking devices (23%). A third of the zero-days were abused by state-sponsored groups while another third was linked to commercial surveillance vendors.

VMware Aria exploitation: Threat actors are exploiting a recently-patched vulnerability in VMware Aria Operations servers. Tracked as CVE-2026-22719, the vulnerability allows unauth remote code execution attacks via a command injection vector. The issue was patched on February 24 before being marked by CISA as exploited in the wild this week.

Cisco SD-WAN exploitation: Cisco says two new SD-WAN vulnerabilities are now being exploited in the wild—CVE-2026-20128 and CVE-2026-20122. The company patched a zero-day last week, and these seem to be exploited together with that one (CVE-2026-20127).

Junos bug write-up: WatchTowr has published a technical analysis of CVE-2026-21902, an unauth RCE in Junos OS, the OS running on Juniper devices. This only impacts the PTX Series.

Cisco security updates: Cisco has released 27 security advisories for its products, including two bugs with a 10/10 severity score in its Secure Firewall Management Center (FMC) software.

IPVanish VPN macOS EoP: SecureLayer7 has found a privilege escalation bug in the macOS client of the IPVanish VPN.

Avira bugs: Security firm Quarkslab has published public details about three vulnerabilities in the Avira antivirus. The company released details without a patch after Gen Digital tried to force researchers into reporting the bugs via Bugcrowd and agreeing to an NDA. The bugs can allow attackers to delete local files and elevate privileges. Proof of concept code was also released.

FreeScout RCE: OX Research have found a bypass of an older patch that can re-enable RCE attacks on the email servers of FreeScout help desk platforms.

MAX app ignores VPN, records real IP: Russia's national messenger app ignores VPN setups and logs a user's real IP address, according to recent findings of the Russian IT community. Enjoy their last posts online! They're being deported to the Gulag as we speak for criticizing the app! /s

Researchers crack Utah's prescription refill AI bot: Security researchers have jailbroken the AI chatbot running the state of Utah's prescription refill service. Mindgard researchers were able to make the Doctronic service spew COVID-19 conspiracies or suggest illegal drugs as treatment. The bot could also be tricked into modifying dosages to dangerous levels.

Infosec industry 

Threat/trend reports: AppHarbr [PDF], Cobalt, Google, Kaspersky, NCC Group, NFCERT [PDF], and The Media Trust have recently published reports and summaries covering various threats and infosec industry trends.

BlueHat IL postponed: Due to ongoing US-Israel-Iran military conflict, Microsoft has postponed its BlueHat Israel security conference, initially scheduled for next week.

New tool—MESH: The BARGHEST non-profit has released MESH, a mobile forensics tool that works over an encrypted, censorship-resistant peer-to-peer mesh network using ADB Wireless Debugging connections.

Risky Business podcasts

In this edition of Seriously Risky Business, Tom Uren and Amberleigh Jack talk about how cyber operations were used in the first hours of the US-Israeli attack on Iran. They were instrumental in the attack on Iranian Supreme Leader Ali Khamenei, but they didn't last long. The Iranian regime implemented an internet blackout within four hours of the first bombs.

In this edition of Between Two Nerds, Tom Uren and The Grugq how the use of cyber operations in the war in Ukraine has evolved over time.