Back to Intelligence

Operation Escaneo: Defending Latin American Infrastructure from Perimeter Exploitation

SA
Security Arsenal Team
June 19, 2026
5 min read

Introduction

Latin American infrastructure is currently under active siege. CloudSEK has mapped a campaign dubbed "Operation Escaneo," which specifically targets organizations in the region by exploiting security issues in perimeter devices—namely Fortinet and Ivanti products. This is not a theoretical exercise; we are observing confirmed active exploitation attempts against edge devices that serve as the gateway to internal networks. For defenders in LATAM and global entities managing these assets, the time to audit, patch, and isolate these perimeter nodes is now.

Technical Analysis

Affected Products and Platforms

The campaign focuses on exploiting unpatched vulnerabilities in widely used edge security and management solutions:

  • Fortinet: FortiGate firewalls and related FortiOS appliances.
  • Ivanti: Ivanti Endpoint Manager (EPM) and Ivanti Connect Secure (formerly Pulse Secure) VPN appliances.

The Vulnerability & Attack Chain

While the specific CVE identifiers are not detailed in the initial intelligence, the vector follows a classic and devastating pattern for perimeter breaches:

  1. Reconnaissance: Threat actors scan for internet-exposed management interfaces (HTTPS/SSL VPN ports) on Fortinet and Ivanti appliances.
  2. Exploitation: The actors exploit security issues (authentication bypass or remote code execution vulnerabilities) in the web-facing components of these devices.
  3. Persistence: Upon successful exploitation, a web shell or backdoor is deployed on the appliance, providing the attacker with persistent control even if the initial vulnerability is later patched.
  4. Lateral Movement: The compromised perimeter device serves as a pivot point to launch attacks against the internal Active Directory environment and sensitive data stores.

Exploitation Status

CloudSEK’s findings indicate confirmed active exploitation. The targeting is opportunistic but geographically focused on LATAM infrastructure, suggesting a specific intent to compromise regional entities.

Detection & Response

Detecting the exploitation of perimeter appliances requires visibility into the device logs (Syslog/CEF) and, if available, endpoint detection on the underlying Linux-based operating system of these appliances. Below are detection rules to identify the post-exploitation activity typical of these campaigns.

SIGMA Rules

YAML
---
title: Potential Web Shell Creation on Linux Perimeter Appliances
id: 9a8b7c6d-5e4f-3a2b-1c0d-9e8f7a6b5c4d
status: experimental
description: Detects the creation of suspicious files in web directories typical of Fortinet/Ivanti appliances, indicative of web shell activity during Operation Escaneo.
references:
  - https://attack.mitre.org/techniques/T1505/003
author: Security Arsenal
date: 2026/04/06
tags:
  - attack.persistence
  - attack.t1505.003
logsource:
  product: linux
  category: file_create
detection:
  selection:
    TargetFilename|contains:
      - '/var/www/html/'
      - '/home/nginx/html/'
      - '/data/webs/'
  filter_legit:
    Image|endswith:
      - '/httpd'
      - '/nginx'
      - '/apache2'
  condition: selection and not filter_legit
falsepositives:
  - Legitimate administrative file uploads
level: high
---
title: Suspicious Child Process of Web Service on Linux
id: 1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d
status: experimental
description: Detects web server processes spawning shells or common pentesting tools, often a sign of successful RCE on perimeter devices.
references:
  - https://attack.mitre.org/techniques/T1059/004
author: Security Arsenal
date: 2026/04/06
tags:
  - attack.execution
  - attack.t1059.004
logsource:
  product: linux
  category: process_creation
detection:
  selection_parent:
    ParentImage|contains:
      - '/httpd'
      - '/nginx'
      - '/lighttpd'
  selection_child:
    Image|endswith:
      - '/bash'
      - '/sh'
      - '/nc'
      - '/telnet'
      - '/python'
  condition: selection_parent and selection_child
falsepositives:
  - Administrative troubleshooting
level: critical

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for suspicious command execution or access patterns on perimeter devices
// This assumes logs are ingested via Syslog or CEF
let PerimeterDevices = Syslog
| where Facility in ("Fortinet", "Ivanti") or ProcessName contains "httpd";
PerimeterDevices
| where SyslogMessage has "bash" or SyslogMessage has "sh " or SyslogMessage has "wget " or SyslogMessage has "curl "
| project TimeGenerated, DeviceName, ProcessName, SyslogMessage
| sort by TimeGenerated desc

Velociraptor VQL

VQL — Velociraptor
-- Hunt for web shells or suspicious scripts in common web directories
SELECT FullPath, Size, Mtime, Mode
FROM glob(globs='/var/www/html/*', '/home/nginx/html/*', '/tmp/*')
WHERE Mode =~ 'x.*' 
   AND Name NOT IN ('index.html', 'index.php', 'login.php')
   AND (Name =~ '\.php$' OR Name =~ '\.jsp$' OR Name =~ '\.sh$')

Remediation Script (Bash)

Warning: Run this script on the affected Linux-based appliance or a management server with access to the file system. Ensure you have a backup before modifying production systems.

Bash / Shell
#!/bin/bash
# Remediation/Hardening Script for Perimeter Appliances
# Checks for common web shell patterns and verifies exposed services

# 1. Check for recently modified files in web root (last 24 hours)
echo "Checking for recently modified files in web directories..."
find /var/www/html /home/nginx/html -type f -mtime -1 -ls

# 2. Check for active listening ports on external interfaces
echo "Checking for services listening on non-loopback interfaces..."
ss -tulpen | grep -v '127.0.0.1'

# 3. Search for common obfuscated web shell strings
echo "Scanning for potential web shell content..."
grep -Rl "eval.*base64_decode" /var/www/html 2>/dev/null
grep -Rl "system.*\$_GET" /var/www/html 2>/dev/null

echo "Audit complete. Review findings immediately."

Remediation

To neutralize the threat posed by Operation Escaneo, organizations must immediately implement the following defensive measures:

  1. Patch Immediately: Apply the latest security patches provided by Fortinet and Ivanti. Ensure your firmware versions are updated to the releases that address the specific perimeter bugs identified in this campaign.
  2. Network Segmentation: Restrict management interfaces (HTTPS/SSH) of these appliances. Ensure they are accessible only via VPN or from dedicated internal administrative subnets, not directly from the internet.
  3. Credential Reset: Assume that credentials stored on or used to access these appliances may be compromised. Force a reset of all local and administrative passwords.
  4. Audit for Compromise: Review logs for signs of successful logins followed by configuration changes or file modifications during the campaign timeline.
  5. Vendor Advisory Compliance: Review the official advisories from Fortinet and Ivanti regarding the specific security issues mentioned in CloudSEK's report and apply any recommended configuration hardening changes.

Related Resources

Security Arsenal Penetration Testing Services AlertMonitor Platform Book a SOC Assessment vulnerability-management Intel Hub

cvezero-daypatch-tuesdayexploitvulnerability-disclosureoperation-escaneofortinetivanti

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action