Incident Overview

A threat actor using the handle CVDEAD has shared a curated dataset of 26,500 publicly accessible IoT devices and 3,000 RTSP camera streams located within Saudi Arabia's infrastructure. The dataset is being offered as a free download, and the actor explicitly encourages using the exposed devices as DDoS botnet soldiers or as proxies for anonymized traffic routing.

The listed device types span a wide range of IoT infrastructure including medical devices, routers, camera streaming systems, local servers, ACME services, sensors, and administration interfaces. The actor notes that most of these devices expose their video streams via RTSP (both protected and unprotected) and are vulnerable due to the use of unsecured protocols. The inclusion of medical devices in the list is particularly concerning, as compromised medical IoT could have real-world safety implications.

A sample was posted in the listing showing what appears to be structured data with IP addresses, ports, and device information. The dataset appears to be the result of active scanning and enumeration of Saudi Arabian IP ranges, compiled into an actionable target list for exploitation.