Operation Escaneo: Fortinet and Ivanti Exploits Hit Latin American Infrastructure
A coordinated campaign dubbed Operation Escaneo has breached government and financial targets across Latin America, exploiting flaws in Fortinet and Ivanti appliances to steal millions of records.
Attackers have systematically compromised critical infrastructure across Latin America — primarily in Mexico — by exploiting known vulnerabilities in Fortinet FortiOS SSL-VPNs and Ivanti Connect Secure appliances. The campaign, dubbed Operation Escaneo, was uncovered by CloudSEK after researchers discovered an exposed staging server that revealed the group's full toolkit, including a custom reconnaissance engine called Kimera and an arsenal of exploits for high-profile CVEs.
The entry point for the attackers was almost always an internet-facing security appliance. They weaponized multiple Fortinet flaws — CVE-2022-42475 and CVE-2024-21762 — alongside a stack of Ivanti Connect Secure vulnerabilities, including CVE-2023-46805, CVE-2024-21887, and CVE-2025-0282. Public proof-of-concept code was adapted to avoid crashing the target during exploitation, showing a level of operational maturity beyond a typical smash-and-grab.
The group did not stop at perimeter gear. Their toolset included exploits for Apache Tomcat's GhostCat vulnerability (CVE-2020-1938), EternalBlue (MS17-010), Zerologon (CVE-2020-1472), and Log4Shell (CVE-2021-44228). CloudSEK's analysis indicates the attackers used the Kimera engine to rapidly scan and triage targets before handing them directly to the exploitation stage, dramatically shortening the time from discovery to compromise.
Once inside, the attackers layered persistence. Neo-reGeorg webshells provided encrypted footholds on web servers, while Chisel reverse tunnels carried traffic over HTTP to evade network monitoring. Critically, the group compromised a Cisco router and configured a GRE tunnel pointing back to their infrastructure, creating a network-level command channel invisible to most host-based defenses. Chisel logs alone recorded 3,708 sessions over a 13-day window.
The exfiltration was massive. From one transport provider, the attackers stole over 1.3 million personal records. They also extracted a 407MB Active Directory map, SSL private keys streamed live from a database server, SAP service-account hashes, and browser-stored passwords. The group gained access to SAP and Oracle systems to run commands directly, suggesting deep lateral movement and a focus on enterprise resource planning (ERP) data.
CloudSEK attributed the campaign, with medium confidence, to a group it refers to as Mexican Mafia or Pancho Villa, which spent 2024 claiming breaches against Mexican government, judicial, and energy targets — sometimes framing the attacks as protest. However, the firm hedged this attribution, noting that some of the group's past claims have been disputed by the named organizations.
Regardless of attribution, the operation underscores the danger of unpatched perimeter appliances in critical infrastructure. CloudSEK urges Latin American organizations to patch Fortinet and Ivanti flaws immediately and to watch for subtle indicators of compromise — GRE tunnels to external addresses, Chisel's TCP-over-HTTP traffic, and unexpected commands running through SAP and Oracle systems. The campaign is a stark reminder that an exposed staging server can unravel an entire threat actor's playbook.