EDR Worked Until Attackers Pivoted to a Camera: How Agentless Assets Sidestep Traditional Controls

How attackers use connected cameras and shadow IoT devices to compromise enterprises 

Security teams often assume that if EDR is working, they’re covered. But attackers know better — and increasingly, they’re bypassing protections entirely by hijacking what no one’s watching. 

In March 2025, the Akira ransomware group found a novel way to sidestep the defenses of a victim organization. After their ransomware payload was blocked by EDR tools on Windows machines, they turned to a less-guarded route: a Linux-based webcam. Exploiting remote shell access, Akira mounted the victim’s Windows network shares from the webcam and encrypted files across the network. 

This breach highlights a sobering reality: EDR did exactly what it was designed to do —detect and stop malicious activity on supported endpoints. But these tools can only protect what they can see. Countless connected devices that can’t run agents, from Linux-based systems to IoT and OT assets, fall outside the scope of traditional endpoint protection. 

Equally alarming, these devices don’t just let attackers in — they can also let them reach out. Agentless assets can initiate outbound traffic to attacker-controlled infrastructure without triggering a single alert. In incidents that was recently reported on, a pharmacist at a major U.S. hospital exploited surveillance devices and deployed keyloggers to spy on and compromise more than 80 coworkers. 

But cameras are just the beginning. From smart displays to badge readers, printers, HVAC controllers, and forgotten workstations, many “agentless” or unmanaged devices operate quietly outside the view of IT and security teams.  

These devices are attractive to attackers for several reasons: 

• Always on, making them persistent entry points 

• Widely deployed across facilities and remote sites 

• Outside IT’s control, often deployed and managed by third-party vendors or non-technical teams 

• Inherently insecure, plagued by outdated firmware and default credentials 

• Fully networked, typically without segmentation or isolation 

In short, they’re everywhere, often unmonitored, and connected in ways that create ideal conditions for compromise. 

Outbound Traffic: Why unmonitored communications create blind spots and exposure risks 

The pharmacist breach didn’t hinge on a sophisticated exploit or ransomware payload — it exploited unnoticed outbound traffic. Surveillance devices and hundreds of hospital computers were quietly used to spy on coworkers and exfiltrate data, without raising alarms. It’s a striking example of a broader issue: what happens when devices are allowed to communicate externally without oversight. 

Most organizations don’t monitor what these devices do once they’re online. Outbound traffic from agentless devices rarely receives the same scrutiny as traditional endpoints. That’s a huge problem when devices connect to suspicious or untrusted infrastructure — especially given growing concerns around supply chain security. 

Behavioral anomalies, like a connected camera communicating directly with a user’s laptop or making outbound connections to a foreign IP, can persist undetected for weeks or even months. In the Akira case, attackers exploited a weakly monitored webcam to encrypt files across the network. It wasn’t just an unresolved risk — it was an open door. 

When attackers or insiders use these assets as covert control points, they can maintain persistence, exfiltrate data, or even deploy new tools to expand access — often without being noticed until it’s too late. 

Insecure by design: How weak controls leave devices, and your network exposed 

While connected cameras often make headlines, they’re just one example of a broader issue. Many agentless and unmanaged devices ship with default credentials, outdated firmware, or insecure configurations — making them soft targets. And because IT often lacks visibility into details like model, OS, or even location, these devices frequently fall through the cracks. 

Key gaps that increase exposure include: 

• Default or weak credentials that are rarely updated 

• Lack of firmware patching, often due to unclear ownership 

• No visibility into device metadata, such as OS or model 

• Exclusion from vulnerability and risk assessment tools 

These issues aren’t theoretical. In the Akira ransomware attack, attackers pivoted to a webcam after EDR blocked their Windows-based payload. Similarly, the Verkada breach a few years back exposed more than 150,000 internet-connected cameras due to shared administrative credentials.  

More recently, an ABC News report revealed that Chinese-made cameras may have been used to spy on U.S. infrastructure, highlighting the growing national security risks tied to supply chain vulnerabilities. 

Unseen, unmanaged, and fully connected: How these devices pollute your network 

It’s not just the weakness of the devices themselves — it’s how they’re connected. Agentless devices are often installed by departments or contractors without IT’s involvement. That means they bypass onboarding and operate outside normal controls. 

Once deployed, they silently blend into the environment, often on the same network segments as mission-critical systems. That gives attackers a straight path for lateral movement. 

Common security gaps with connected, unmanaged devices include: 

• No authentication requirements, making rogue devices easy to add 

• Unsegmented networks, where IoT and critical systems coexist 

• Risky protocols like RDP, SSH, or Telnet in active use 

In the case of the pharmacist breach, surveillance devices were not only exploited to exfiltrate data — they were also embedded in the same environment as hospital systems, highlighting how easily unmanaged devices can become conduits for insider abuse or external compromise. 

What good looks like: A holistic approach to agentless risk 

It’s not enough to secure the most obvious devices, like cameras, while letting others remain unmanaged and unmonitored. A strong defense requires full-spectrum visibility and control over every connected device, no matter who installed it or whether it supports agents. 

That means shifting from reactive cleanup to proactive hygiene, spanning device discovery, accurate profiling and contextualization, behavioral monitoring, installed software discovery, and exposure prioritization — so that you can take swift remediation and segmentation actions. Here’s how leading organizations are tackling the challenge. 

1. Inventory all assets — not just the ones you know about 

Start by identifying every device, whether it’s a workstation, IP phone, security camera, smart display, or HVAC controller. This includes third-party or department-owned devices that often fly under IT’s radar. 

Key steps: 

• Discover all connected assets across all sites 

• Collect metadata like model, OS, firmware, business group, install date, and physical location 

• Flag unknown, unauthorized, or unmanaged devices for investigation 

2. Understand what’s running and how it’s used 

Attackers and insiders alike exploit not just devices, but what’s running on them. From credential harvesters to remote desktop tools, the application footprint matters. 

Focus on: 

• Identifying suspicious applications or tools (e.g., keyloggers) 

• Monitoring how users interact with specific devices, especially those outside IT’s control 

3. Monitor behavior and flag the abnormal 

Agentless devices generate traffic too — and that traffic reveals intent. Whether it’s outbound communication to untrusted IPs or unusual peer-to-peer activity, spotting the outliers requires a behavioral baseline. 

Make sure to: 

• Build traffic baselines for each device: destinations, timing, protocol usage 

• Visualize internal and external communication flows 

• Detect risky behavior such as SSH access, lateral movement, or unexpected SMB traffic 

4. Close gaps in credentials and patching 

Even when a device is visible, it may still be vulnerable. Default passwords and outdated firmware are two of the most common (and preventable) weaknesses. 

Best practices include: 

• Regular monitoring for outdated OS or firmware versions 

• Identifying and remediating weak, reused, or default credentials 

• Prioritizing remediation based on device criticality and exposure level 

Turning visibility into action: How ORDR helps customers tackle the threats of shadow IoT 

At ORDR, we work closely with IT and security teams across industries to help them implement the best practices outlined above — from initial discovery to segmentation, risk reduction, and response. Through these engagements, we’ve developed a deep understanding of the challenges that come with managing agentless and unmanaged devices at scale. 

We’ve seen firsthand how organizations succeed when they can: 

• Turn data into decisions — Dashboards that clearly surface asset inventories, risk levels, and behavioral trends help teams spot issues faster and drive accountability across functions. 

• Focus on what matters — By mapping vulnerabilities and behaviors to business context, like device type, ownership, and location, we help teams cut through the noise and prioritize effectively. 

• Act fast when something changes — Real-time alerts and integrations with enforcement tools like NACs and firewalls enable immediate, targeted response. 

• Unify visibility and response workflows — From identifying unmanaged or risky devices to understanding their behavior over time, ORDR brings together the insights teams need to reduce risk without adding complexity. 

As enterprise environments become more hyperconnected, the biggest threat isn’t always what breaks through your defenses, it’s what quietly slips past them, like shadow IoT. 

Want to learn more about how organizations are tackling agentless threats? Check out the Rise of the Machines Report, our annual cybersecurity paper on the state of agentless and unmanaged assets within enterprises or request a demo to see how we can help your team take back control.