My Q-See was a re-branded Dahua from what I read. It had old firmware and was exposed through open ports. I think I fall into the second scenerio below:
Attacks against Dahua units:
* 'Bashis Generation 2 and 3' authentication bypasses (CVE-2017-7927,
ICSA-17-124-02) are attempted against the web interface. The first
viable-looking account in the userlist is targeted (usually 888888).
If login is successful, camera settings are tampered with to dim the
feeds and display "HACKED" as a watermark. Recently some feeds will
also get the text "UPGRADE" and "FIRMWARE" for additional clarity.
Unit's network settings are tampered with in an attempt to disconnect
the vulnerable unit from the WAN.
* If unit has an exposed telnetd interface some well-known backdoor
account logins (CVE-2013-3612) are attempted, and on successful login
the unit will be bricked. The symptoms in this case will be a bricked
device, all partitions overwritten with random data.
* If port 6789's or 19058's management interface is open to the WAN an
attempt is made to extract the userlist from the data port 37777
(CVE-2013-6117). If a hash is successfully extracted an attempt to
reverse it is carried out (CVE-2013-3615). If hash reversing isn't
successful or port 37777 isn't exploitable then common logins are used
instead. On successful management interface login the unit will be
bricked. The symptoms in this case will be a bricked device, with all
partitions overwritten with random data. Although these vulnerabilities
are now 4 years old there are still sadly some new units appearing
every day.