A cyberattack campaign known as Operation Escaneo has targeted government and financial institutions in Latin America, particularly Mexico, exposing a range of critical infrastructures. The campaign was identified after attackers accidentally left a staging server exposed online, allowing researchers to analyze their methods. The attackers exploited vulnerabilities in Fortinet and Ivanti security appliances, utilizing a reconnaissance tool named Kimera to scan targets quickly.
They employed layered access methods including webshells and hidden tunnels to infiltrate networks and extract sensitive data, such as personal records and SSL keys. CloudSEK attributes the attacks to a group called the Mexican Mafia, which has previously claimed similar breaches as forms of protest. Recommendations for organizations include patching security appliances and monitoring for unusual network activity.