Emerging ThreatsMalware & Ransomware

Fortinet and Ivanti Exploits Fuel LATAM Infrastructure Attacks

Analyst 207||Source: InfoSecMag
Rack of networking equipment in a brightly-lit municipal network closet.

“Chisel logs alone recorded 3,708 sessions over a 13-day window.”

Operation Escaneo exposed by CloudSEK

CloudSEK discovered and mapped a coordinated campaign it calls Operation Escaneo after finding an open directory on the group's server in early 2026. The firm says the error allowed researchers to reconstruct the attackers' toolkit and activity, revealing a sustained operation that targeted critical infrastructure across Mexico with lesser activity in Ecuador and Portugal. Affected sectors included government, tax authorities, utilities, transport, telecoms and banks.

Perimeter appliances: Fortinet and Ivanti CVEs used

CloudSEK reported that the attackers primarily gained entry through internet-facing security appliances. The group kept tuned exploits for Fortinet FortiOS SSL‑VPN flaws — specifically CVE-2022-42475 and CVE-2024-21762 — and Ivanti Connect Secure flaws CVE-2023-46805, CVE-2024-21887 and CVE-2025-0282. Researchers said the attackers adapted public proof‑of‑concept code so it would not crash targets.

Beyond VPN and SSL‑VPN appliances, the campaign also used exploits for Apache Tomcat's GhostCat flaw, Windows vulnerabilities EternalBlue and Zerologon, and Log4Shell, broadening the range of entry points into victim networks.

Kimera reconnaissance, Neo‑reGeorg and tunneling

The attackers relied on a custom reconnaissance engine named Kimera, which CloudSEK said scanned and triaged targets at high speed and then handed them to the exploitation stage. Once inside, the group layered access to maintain connectivity: Neo‑reGeorg webshells provided encrypted footholds on web servers; Chisel reverse tunnels carried traffic over HTTP; and a compromised Cisco router was fitted with a GRE tunnel pointing back to the attackers, a network‑level channel CloudSEK noted could be invisible to host‑based defenses.

CloudSEK's artifact set shows these channels were active and persistent: the Chisel logs alone recorded 3,708 sessions during a 13‑day period, illustrating the scale and repetitiveness of the operation's remote access.

Data stolen: transport records, Active Directory maps, SSL keys, SAP and Oracle access

Inside victim networks the attackers reached SAP and Oracle systems to run commands and extracted large volumes of sensitive information. CloudSEK said confirmed beacons from at least five victims and large‑scale data theft. Among items enumerated by the firm were:

  • More than 1.3 million personal records from one transport provider
  • A 407MB map of a victim's Active Directory
  • SSL private keys, streamed out live from a database server
  • SAP service‑account hashes and browser‑stored passwords

Those artifacts show the attackers were not simply probing perimeter devices but moving into enterprise applications and databases to harvest identity, cryptographic and application credentials.

Attribution: Mexican Mafia (Pancho Villa) with medium confidence

CloudSEK attributed Operation Escaneo, with medium confidence, to a group it calls Mexican Mafia, or Pancho Villa. The firm notes the group spent 2024 claiming breaches against Mexican government, judicial and energy targets, sometimes framing the hacks as protest, though CloudSEK also warned that some of the group's past claims have been disputed by the organizations named.

What this means for technologists, policymakers, and procurement leaders

  • Technologists and security teams: CloudSEK urged patching perimeter appliances first, explicitly singling out the Fortinet and Ivanti flaws. Teams should also hunt for quieter tells the report identifies — GRE tunnels reaching external addresses, Chisel's TCP‑over‑HTTP traffic and unexpected commands executed through SAP and Oracle.
  • Policymakers and regulators: The operation underscores the risk to national‑scale critical infrastructure from exploited internet‑facing appliances and the need for guidance and enforcement mechanisms focused on timely patching of perimeter gear and monitoring for network‑level tunnels.
  • Procurement and affected enterprises: The findings highlight the operational cost of exposed or unpatched VPN and remote‑access appliances and the need to validate vendor firmware updates, logging visibility for tunnels such as GRE, and controls around extraction of SSL keys and service account data from enterprise applications.

Operation Escaneo, as reconstructed by CloudSEK, is notable for its breadth — multiple CVEs across vendor products, a high‑speed reconnaissance engine called Kimera, and layered persistence combining webshells, application exploitation and network‑level tunnels. It was the attackers' own operational security failure — an exposed staging directory — that allowed researchers to assemble this picture. What remains are clear, immediate actions CloudSEK recommends (patch perimeter appliances and hunt for GRE and Chisel traffic) and unanswered questions about the full scope of victims and the longer‑term reuse of harvested credentials and keys.

Original story: LATAM Infrastructure Hit by Fortinet and Ivanti Exploits (Infosecurity Magazine)

BankingEmerging ThreatsFortinetGovernmentIvantiNation-StateSupply ChainTelecomTransportationUtilitiesMfa BypassLATAM Infrastructure AttacksOperation EscaneoCVE Exploits
Related Intelligence

Continue Reading

Dimly lit server room with rows of computer equipment and a blurred figure in the background.

Telco Exposes Customer Data in Cleartext, Ignoring Basic Security Protocols

A new hire was granted sudo-level access to a live production database on their first day, with management's casual instruction to "take a look" - and promptly uncovered customer records stored in easily accessible cleartext. This alarming lapse in security protocols left sensitive customer information, including full personal details and payment numbers, exposed and vulnerable.

Analyst 207
Formal setting with podium in front of large window, neutral color palette.

Nation-States Drive 75% of UK Critical Infrastructure Cyber-Attacks, NCSC Warns

The UK's National Cyber Security Centre has warned that a staggering 75% of critical infrastructure cyber-attacks in the UK are driven by nation-states, with 200 incidents reported in the past year alone. This alarming trend highlights the growing threat of state-sponsored cybercrime, with countries like Russia, China, and Iran linked to many of these attacks.

Analyst 207
Busy Southeast Asian city street with people using smartphones and laptops amidst modern buildings and shops.

Cybercrime Exploits APAC's Rapid Digitalization

Cybercrime is rapidly overtaking traditional crime in APAC, with nearly a third of crime in over half the region's countries now online, according to Interpol's latest report. The alarming trend highlights the urgent need for stronger cross-border collaboration to combat the evolving threat.

Analyst 207
Smartphone lies cracked on a bench in a bustling Asia-Pacific city street.

Cybercrime Surges Across Asia and South Pacific, Hits 30% of All Crime

Cybercrime is surging across Asia and the South Pacific, now accounting for over 30% of all recorded crime, with organised networks leveraging AI, ransomware, and social engineering on a massive scale. The rapid rise is driven by rapid digital adoption and new technologies.

Analyst 207