Adversary Intelligence
mins read

Navigating the Cyber Threat Landscape: A Comprehensive Report on Recent Attacks and Vulnerabilities in Mexico

Mexico has seen a surge in cyberattacks, with hacktivist groups targeting finance, government, and education. Key threats include data breaches and protests, along with illegal firearm sales online. Strengthening cybersecurity is crucial to protect sensitive data and maintain stability.

CloudSEK TRIAD
September 16, 2024
Green Alert
Last Update posted on
September 16, 2024

Schedule a Demo
Table of Contents
Author(s)
No items found.

Category: Adversary Intelligence

Region: Mexico

TLP: GEEEN

Executive Summary

In recent months, Mexico has been the target of several cyber incidents, ranging from data breaches to hacktivist-led protests. These activities pose significant challenges to the nation's diplomatic, financial, educational, and government sectors, while also raising concerns about the sale of illegal firearms.

  • Hacktivist Protests: Groups such as "Ghosts of Palestine" have orchestrated public demonstrations like the "Die In" protest at the U.S. Embassy in Mexico City. These actions are politically charged, primarily focusing on U.S. policies in Gaza, and have the potential to escalate security measures around diplomatic missions.

  • Data Breaches in the Financial Sector: Hacktivist group RipperSec has taken credit for significant breaches involving the Carbon Platform MEXICO2 and the Mexican Stock Exchange. The exposure of financial data compromises market integrity and increases the risk of economic disruption. Additional breaches, such as the defacement of Alliance Broker’s website by Esteem Restoration Eagle, highlight the vulnerability of financial institutions.

  • Attacks on Educational and Government Institutions: Hacktivists have targeted the State Institute of Normal Education of Nayarit, defacing its website and spreading the attack through their Telegram channel. Similarly, Ethersec Team Cyber successfully defaced a Mexican government website. These incidents not only disrupt the operational capacity of these institutions but also erode public confidence in their ability to protect digital assets.

  • Technology Sector Vulnerabilities: Data leaks from RipperSec have also exposed critical vulnerabilities within Mexico’s tech infrastructure, impacting the secure operation of financial and tech systems. Such breaches call attention to the need for enhanced cybersecurity measures.

  • Illegal Firearms Sales: In a concerning trend, individuals are using encrypted platforms like Telegram to advertise the sale of illegal firearms, including Glock pistols and revolvers. This trade in weapons poses direct risks to both public safety and national security.

Introduction

  • Surge in Cyberattacks: Recent months have seen an increase in cyberattacks across Mexico, targeting various sectors including diplomacy, education, finance, and technology. These attacks reveal significant vulnerabilities and operational disruptions.

  • Hacktivist Group Activities: "Ghosts of Palestine" has carried out protests and cyberattacks against diplomatic and governmental entities, reflecting their focus on political and social issues. Their actions have implications for diplomatic relations and public safety.

  • Financial Sector Compromises: RipperSec’s data breaches have affected major financial institutions, revealing sensitive information and compromising financial stability. Additional attacks by Esteem Restoration Eagle have further impacted financial services.

  • Sector-Specific Threats: Disruptions have extended to the education sector with defaced websites and to the government with compromised online platforms. The illegal sale of firearms through online channels underscores risks to public safety and security.

Mexico Cyber Threat Landscape: Industry-Specific Insight

Threat Landscape industry specific: Data taken from the last three months

Diplomacy

07 July: The hacktivist group "Ghosts of Palestine" announced a "Die In" action at the U.S. Embassy in Mexico City, protesting the death of Palestinian civilians in Gaza and U.S. funding for Israel. This protest targets diplomatic relations and could impact U.S.-Mexico diplomatic interactions, potentially leading to heightened security concerns and strained relations between the countries.

Education

24 August: The hacktivist group Khilafah H4ckers defaced the website of the State Institute of Normal Education of Nayarit (IEENN) in Mexico. The defacement included links to the altered site and affiliations with other groups. This attack disrupts educational services and can undermine trust in institutional cybersecurity practices, potentially exposing sensitive information of students and staff.

Finance

  • 05 August: RipperSec claimed to have leaked data from the Carbon Platform MEXICO2 and the Mexican Stock Exchange, indicating a breach of critical financial infrastructure. This leak could compromise financial transactions, expose sensitive market information, and undermine confidence in financial institutions.

  • 08 July: TengkorakCyberCrew reported on the Mekotio banking trojan affecting Latin American financial institutions, including Mexico. This trojan could lead to significant financial theft and unauthorized access to banking systems.

Firearms

An individual using the handle 'ZeroDayX1' on the 'لواء محمد ﷺ' Telegram channel advertised the sale of firearms, including Glock pistols and revolvers, targeting buyers in Mexico and the USA. This activity could facilitate illegal arms trade and pose serious security risks in both countries.

Government

  • 07 August: Ethersec Team Cyber defaced the website of GOVERNMENT TEPETLAOXTOC MEXICO, replacing it with their own message. This breach affects public access to government services and could undermine public trust in government cybersecurity.

  • 05 August: RipperSec shared a file named 'bd_mexico2.zip' with potentially sensitive data, though the exact contents remain unspecified. This file could include confidential government information, exacerbating risks to national security.

Technology

05 August: RipperSec's claim to have leaked data from the Carbon Platform MEXICO2 and the Mexican Stock Exchange underscores significant risks to technological infrastructure. Such leaks can compromise technological operations and security, impacting critical financial and tech systems.

Top Hacktivist Groups Targeting Mexico

Top Hacktivist Groups Targeting Mexico

Ghosts of Palestine

  • The hacktivist group "Ghosts of Palestine" has been actively organizing protests and demonstrations in Mexico, particularly targeting U.S. policies regarding Israel. They have announced a series of actions, including a "Die In" protest at the U.S. Embassy in Mexico City on July 7, 2024, aimed at denouncing the deaths of Palestinian civilians in Gaza and calling for an end to U.S. financial support for Israel. The group accuses Israel of being a terrorist state and emphasizes opposition to Israeli military actions.

  • In addition to these protests, the group has made their presence known in Mexico since late June 2024, rallying activists and veterans in support of the Palestinian cause. They have organized demonstrations, including a protest at 'Angel de la Independencia' in Mexico City on July 6, 2024. Their activism is centered on uniting people against oppression and advocating for justice, peace, and freedom for Palestinians. Using the hashtag #GhostPrincess, they have shared links to their Telegram channel to mobilize further support.

  • The group's activities reflect a growing focus on combining cyber activism with physical protests, amplifying their message and mobilizing supporters both online and offline. Their presence in Mexico indicates an effort to broaden their international reach in support of Palestinian advocacy.

RipperSec

  • The hacktivist group "RipperSec" has been involved in leaking sensitive data from key financial institutions in Mexico. On August 5, 2024, the group claimed responsibility for a data breach affecting the Carbon Platform MEXICO2 and the Mexican Stock Exchange. The specifics of the leaked data remain unclear, but RipperSec has shared a file named 'bd_mexico2.zip,' which is 1.9 MB in size. While the group has not disclosed the exact contents of the file, the name suggests it may contain confidential or sensitive data related to these financial platforms.

  • These actions highlight RipperSec's targeting of critical infrastructure in Mexico, posing significant risks to the financial sector, potentially impacting operations and exposing sensitive information of stakeholders involved in the Carbon Platform MEXICO2 and the Mexican Stock Exchange.

Top Threat Actors Targeting Mexico

Top Threat Actors Groups Targeting Mexico

Faqwe789 

  • The user 'faqwe789' is actively seeking sensitive data related to Mexico through various underground forums, particularly 'BreachForums_v2.' They are targeting databases for the year 2024, with specific interest in Mexican mobile phone numbers, dates of birth, and financial or banking data. The threat actor emphasizes cooperation with first-hand data providers from any country, except Russia and China, and is willing to test and pay for legitimate databases.

  • Their activities pose a significant risk as they seek fresh and private datasets, rejecting public or unsolicited data. This suggests an intent to exploit the acquired information for malicious purposes, potentially leading to fraud, identity theft, or unauthorized access to financial systems. The actor’s preference for long-term cooperation with hacker teams and the focus on obtaining data from Mexico and Indonesia in particular highlights an ongoing and organized effort to breach sensitive information for substantial financial or operational gain.

  • This ongoing activity, combined with their willingness to pay for tested samples, indicates a growing threat to Mexican individuals and organizations.

Amantedelacomida1990

  • The user 'Amantedelacomida1990' has been active on the underground forum 'BreachForums_v2,' posing a significant threat by targeting sensitive Mexican data. They claim to possess a database with over 38 million national phone numbers from various regions in Mexico, as well as a database from the National Electoral Institute (INE), which includes highly sensitive personal details such as names, addresses, and identification numbers. This data is being offered for sale, posing a direct risk to Mexican citizens and their personal security.

  • In addition, 'Amantedelacomida1990' has sought cooperation with national database programmers in Mexico to create or enhance national databases for both Mexico and the United States, which suggests a broader and more organized effort to acquire and manipulate sensitive data. The actor has also expressed interest in gaining access to the IMSS (Instituto Mexicano del Seguro Social) database, further increasing the threat to national and institutional security in Mexico.

  • Although their forum account has been banned for violating the English-only policy, their actions indicate a persistent attempt to acquire, exploit, and commercialize critical data, creating risks of identity theft, fraud, and unauthorized access to vital national records.

Sccccd77e7

  • The threat actor 'sccccd77e7' has been actively selling compromised data from breaches of Mexican companies on the underground forum BreachForums. They have claimed responsibility for multiple data breaches, including one involving Sánchez M. y Asociados, an accounting firm, from which they obtained emails, spreadsheets, employee and customer databases, property files, investments, personal and company documents, and invoices. This breach, reportedly occurring in July 2024, is being offered for sale for a modest price of 20 USD, indicating the actor’s willingness to offload highly sensitive data cheaply.

  • 'sccccd77e7' also claims to possess a data breach from Corporativo Sando, a construction company based in Monterrey, Mexico. The breach allegedly includes 87,000 emails and 19,000 attachments, alongside confidential financial information, customer and supplier data, and access to external systems. The actor is accepting payments in Monero (XMR) cryptocurrency, adding a layer of anonymity to the transactions and making it more difficult to track or reverse.

  • The repeated attacks targeting Mexican firms suggest that 'sccccd77e7' is systematically targeting organizations with a wealth of sensitive information, and the public offering of such data raises the risks of identity theft, corporate espionage, financial fraud, and exposure of confidential business dealings.

Injectioninferno

  • The threat actor 'injectioninferno' has been actively targeting Mexican citizen and bank data on the underground forum 'BreachForums_v2.' They claim to possess a wide range of sensitive information, including a database containing 1.8 million Mexican citizen records. Despite offering a download link, reports suggest the file is corrupted, diminishing the credibility of the post.

  • 'injectioninferno' has also offered leads on multiple Mexican banks, claiming to hold personal information of bank customers, such as names, addresses, and phone numbers. They have provided a sample of the data to entice potential buyers and have offered an escrow service for secure transactions, signaling a structured approach to data selling.

  • Additionally, 'injectioninferno' is offering a database of 250,000 WhatsApp user records from Mexico, including phone numbers and location information. This data is being sold through Telegram, where they are promoting further discussions with buyers.

  • The activities of 'injectioninferno' pose a severe threat to the financial security and privacy of Mexican citizens, as the sale of sensitive banking and communication data can lead to widespread fraud, identity theft, and other malicious activities. Their efforts to secure transactions using an escrow service also highlight the professionalism behind these operations, increasing the risk to individuals and institutions across Mexico.

Sirdr

  • The threat actor 'sirdr' has been actively sharing and selling compromised Mexican data on the underground forum 'leakbase.io.' They claim to possess several datasets, including a database of 231,000 Mexican phone numbers, though they admit that the data contains a mix of valid and invalid numbers. This raises concerns about the accuracy of the data but still presents a risk of fraudulent activity targeting the valid numbers.

  • Additionally, 'sirdr' has offered a database of 5,000 email addresses and associated passwords from Mexico, likely obtained through credential stuffing or phishing attacks. The availability of these credentials increases the risk of account takeovers and other forms of cyberattacks against individuals and organizations.

  • In another post, 'sirdr' is offering a database containing 58,000 Mexican email addresses and passwords, which is being provided for free to the forum community. This widespread distribution of sensitive information for free amplifies the threat to Mexican users, as malicious actors can exploit this data for various nefarious purposes, including identity theft, unauthorized access, and financial fraud.

  • The consistent sharing of sensitive information by 'sirdr' highlights an ongoing risk to Mexican citizens, with stolen credentials and personal information being made easily accessible to a wider range of threat actors.

Conclusion

The recent surge in cyberattacks and hacktivist activities across Mexico underscores a critical need for enhanced cybersecurity measures across multiple sectors. The diverse range of threats—from targeted protests and data breaches to illegal arms sales—reveals the growing sophistication and impact of cybercriminal activities. Diplomatic, financial, educational, and governmental institutions have all been affected, each facing unique challenges and risks.

The activities of groups like "Ghosts of Palestine" and RipperSec have not only disrupted operations but also compromised sensitive data, potentially leading to significant financial, operational, and security repercussions. Additionally, the illegal sale of firearms through online platforms highlights a broader issue of cybersecurity extending into physical security realms.

To mitigate these risks, it is imperative for organizations and government agencies to strengthen their cybersecurity frameworks, adopt proactive threat detection and response strategies, and foster collaboration between sectors to address emerging threats effectively. The protection of sensitive data and infrastructure is crucial to maintaining operational stability and public trust in the face of escalating cyber threats.

Recommendations and Suggestions

  • Strengthen Cybersecurity Measures
    • Implement Advanced Threat Detection: Deploy sophisticated threat detection systems to identify and mitigate potential attacks before they can cause significant damage.
    • Regular Security Audits: Conduct regular security assessments and penetration testing to identify vulnerabilities and address them promptly.

  • Enhance Incident Response Capabilities
    • Develop Incident Response Plans: Create and regularly update comprehensive incident response plans to ensure swift and effective action in the event of a cyberattack.
    • Conduct Simulation Exercises: Regularly practice response to various types of cyber incidents through simulations and tabletop exercises to improve readiness.

  • Improve Data Protection and Privacy
    • Encrypt Sensitive Data: Use encryption to protect sensitive data both in transit and at rest to prevent unauthorized access.
    • Implement Access Controls: Apply strict access control measures and ensure that only authorized personnel have access to critical information.

  • Increase Awareness and Training
    • Employee Training Programs: Regularly train employees on cybersecurity best practices, including recognizing phishing attempts and other social engineering attacks.
    • Public Awareness Campaigns: Engage in public awareness campaigns to educate citizens and organizations about potential cyber threats and preventive measures.

  • Enhance Regulatory Compliance
    • Adhere to Regulations: Ensure compliance with relevant cybersecurity regulations and standards to safeguard against legal and financial repercussions.
    • Stay Updated on Legislation: Keep abreast of changes in cybersecurity laws and regulations to ensure ongoing compliance.

  • Invest in Cybersecurity Technology
    • Adopt Cutting-Edge Solutions: Invest in advanced cybersecurity technologies such as artificial intelligence and machine learning to enhance threat detection and response capabilities.
    • Upgrade Legacy Systems: Replace outdated systems with modern, secure alternatives to reduce vulnerabilities and improve overall security posture.

  • Address Physical Security Concerns
    • Secure Physical Access: Implement robust physical security measures to protect critical infrastructure and data centers from unauthorized access and tampering.
    • Monitor Physical Assets: Use surveillance and monitoring technologies to ensure the security of physical assets related to cybersecurity.

By implementing these recommendations, organizations and institutions can better protect themselves against the evolving landscape of cyber threats, safeguard sensitive data, and ensure the continuity of their operations.

References

CloudSEK’s flagship digital risk monitoring platform XVigil contains a module called “Underground Intelligence” which provides information about the latest Adversary, Malware, and Vulnerability Intelligence, gathered from a wide range of sources, across the surface web, deep web, and dark web.

Author

CloudSEK TRIAD

CloudSEK Threat Research and Information Analytics Division

Predict Cyber threats against your organization

Schedule a Demo
Related Posts
No items found.

Join 10,000+ subscribers

Keep up with the latest news about strains of Malware, Phishing Lures,
Indicators of Compromise, and Data Leaks.

Take action now

Secure your organisation with our Award winning Products

CloudSEK Platform is a no-code platform that powers our products with predictive threat analytic capabilities.

CloudSEK XVigil

Digital Risk Protection platform which gives Initial Attack Vector Protection for employees and customers.

Learn more about XVigil
CloudSEK SVigil

Software and Supply chain Monitoring providing Initial Attack Vector Protection for Software Supply Chain risks.

Learn more about SVigil
CloudSEK SVigil

Creates a blueprint of an organization's external attack surface including the core infrastructure and the software components.

Learn more about BeVigil Ent
CloudSEK BeVigil

Instant Security Score for any Android Mobile App on your phone. Search for any app to get an instant risk score.

Learn more about BeVigil
Adversary Intelligence

min read

Navigating the Cyber Threat Landscape: A Comprehensive Report on Recent Attacks and Vulnerabilities in Mexico

Mexico has seen a surge in cyberattacks, with hacktivist groups targeting finance, government, and education. Key threats include data breaches and protests, along with illegal firearm sales online. Strengthening cybersecurity is crucial to protect sensitive data and maintain stability.

Authors
CloudSEK TRIAD
CloudSEK Threat Research and Information Analytics Division
Co-Authors
No items found.

Category: Adversary Intelligence

Region: Mexico

TLP: GEEEN

Executive Summary

In recent months, Mexico has been the target of several cyber incidents, ranging from data breaches to hacktivist-led protests. These activities pose significant challenges to the nation's diplomatic, financial, educational, and government sectors, while also raising concerns about the sale of illegal firearms.

  • Hacktivist Protests: Groups such as "Ghosts of Palestine" have orchestrated public demonstrations like the "Die In" protest at the U.S. Embassy in Mexico City. These actions are politically charged, primarily focusing on U.S. policies in Gaza, and have the potential to escalate security measures around diplomatic missions.

  • Data Breaches in the Financial Sector: Hacktivist group RipperSec has taken credit for significant breaches involving the Carbon Platform MEXICO2 and the Mexican Stock Exchange. The exposure of financial data compromises market integrity and increases the risk of economic disruption. Additional breaches, such as the defacement of Alliance Broker’s website by Esteem Restoration Eagle, highlight the vulnerability of financial institutions.

  • Attacks on Educational and Government Institutions: Hacktivists have targeted the State Institute of Normal Education of Nayarit, defacing its website and spreading the attack through their Telegram channel. Similarly, Ethersec Team Cyber successfully defaced a Mexican government website. These incidents not only disrupt the operational capacity of these institutions but also erode public confidence in their ability to protect digital assets.

  • Technology Sector Vulnerabilities: Data leaks from RipperSec have also exposed critical vulnerabilities within Mexico’s tech infrastructure, impacting the secure operation of financial and tech systems. Such breaches call attention to the need for enhanced cybersecurity measures.

  • Illegal Firearms Sales: In a concerning trend, individuals are using encrypted platforms like Telegram to advertise the sale of illegal firearms, including Glock pistols and revolvers. This trade in weapons poses direct risks to both public safety and national security.

Introduction

  • Surge in Cyberattacks: Recent months have seen an increase in cyberattacks across Mexico, targeting various sectors including diplomacy, education, finance, and technology. These attacks reveal significant vulnerabilities and operational disruptions.

  • Hacktivist Group Activities: "Ghosts of Palestine" has carried out protests and cyberattacks against diplomatic and governmental entities, reflecting their focus on political and social issues. Their actions have implications for diplomatic relations and public safety.

  • Financial Sector Compromises: RipperSec’s data breaches have affected major financial institutions, revealing sensitive information and compromising financial stability. Additional attacks by Esteem Restoration Eagle have further impacted financial services.

  • Sector-Specific Threats: Disruptions have extended to the education sector with defaced websites and to the government with compromised online platforms. The illegal sale of firearms through online channels underscores risks to public safety and security.

Mexico Cyber Threat Landscape: Industry-Specific Insight

Threat Landscape industry specific: Data taken from the last three months

Diplomacy

07 July: The hacktivist group "Ghosts of Palestine" announced a "Die In" action at the U.S. Embassy in Mexico City, protesting the death of Palestinian civilians in Gaza and U.S. funding for Israel. This protest targets diplomatic relations and could impact U.S.-Mexico diplomatic interactions, potentially leading to heightened security concerns and strained relations between the countries.

Education

24 August: The hacktivist group Khilafah H4ckers defaced the website of the State Institute of Normal Education of Nayarit (IEENN) in Mexico. The defacement included links to the altered site and affiliations with other groups. This attack disrupts educational services and can undermine trust in institutional cybersecurity practices, potentially exposing sensitive information of students and staff.

Finance

  • 05 August: RipperSec claimed to have leaked data from the Carbon Platform MEXICO2 and the Mexican Stock Exchange, indicating a breach of critical financial infrastructure. This leak could compromise financial transactions, expose sensitive market information, and undermine confidence in financial institutions.

  • 08 July: TengkorakCyberCrew reported on the Mekotio banking trojan affecting Latin American financial institutions, including Mexico. This trojan could lead to significant financial theft and unauthorized access to banking systems.

Firearms

An individual using the handle 'ZeroDayX1' on the 'لواء محمد ﷺ' Telegram channel advertised the sale of firearms, including Glock pistols and revolvers, targeting buyers in Mexico and the USA. This activity could facilitate illegal arms trade and pose serious security risks in both countries.

Government

  • 07 August: Ethersec Team Cyber defaced the website of GOVERNMENT TEPETLAOXTOC MEXICO, replacing it with their own message. This breach affects public access to government services and could undermine public trust in government cybersecurity.

  • 05 August: RipperSec shared a file named 'bd_mexico2.zip' with potentially sensitive data, though the exact contents remain unspecified. This file could include confidential government information, exacerbating risks to national security.

Technology

05 August: RipperSec's claim to have leaked data from the Carbon Platform MEXICO2 and the Mexican Stock Exchange underscores significant risks to technological infrastructure. Such leaks can compromise technological operations and security, impacting critical financial and tech systems.

Top Hacktivist Groups Targeting Mexico

Top Hacktivist Groups Targeting Mexico

Ghosts of Palestine

  • The hacktivist group "Ghosts of Palestine" has been actively organizing protests and demonstrations in Mexico, particularly targeting U.S. policies regarding Israel. They have announced a series of actions, including a "Die In" protest at the U.S. Embassy in Mexico City on July 7, 2024, aimed at denouncing the deaths of Palestinian civilians in Gaza and calling for an end to U.S. financial support for Israel. The group accuses Israel of being a terrorist state and emphasizes opposition to Israeli military actions.

  • In addition to these protests, the group has made their presence known in Mexico since late June 2024, rallying activists and veterans in support of the Palestinian cause. They have organized demonstrations, including a protest at 'Angel de la Independencia' in Mexico City on July 6, 2024. Their activism is centered on uniting people against oppression and advocating for justice, peace, and freedom for Palestinians. Using the hashtag #GhostPrincess, they have shared links to their Telegram channel to mobilize further support.

  • The group's activities reflect a growing focus on combining cyber activism with physical protests, amplifying their message and mobilizing supporters both online and offline. Their presence in Mexico indicates an effort to broaden their international reach in support of Palestinian advocacy.

RipperSec

  • The hacktivist group "RipperSec" has been involved in leaking sensitive data from key financial institutions in Mexico. On August 5, 2024, the group claimed responsibility for a data breach affecting the Carbon Platform MEXICO2 and the Mexican Stock Exchange. The specifics of the leaked data remain unclear, but RipperSec has shared a file named 'bd_mexico2.zip,' which is 1.9 MB in size. While the group has not disclosed the exact contents of the file, the name suggests it may contain confidential or sensitive data related to these financial platforms.

  • These actions highlight RipperSec's targeting of critical infrastructure in Mexico, posing significant risks to the financial sector, potentially impacting operations and exposing sensitive information of stakeholders involved in the Carbon Platform MEXICO2 and the Mexican Stock Exchange.

Top Threat Actors Targeting Mexico

Top Threat Actors Groups Targeting Mexico

Faqwe789 

  • The user 'faqwe789' is actively seeking sensitive data related to Mexico through various underground forums, particularly 'BreachForums_v2.' They are targeting databases for the year 2024, with specific interest in Mexican mobile phone numbers, dates of birth, and financial or banking data. The threat actor emphasizes cooperation with first-hand data providers from any country, except Russia and China, and is willing to test and pay for legitimate databases.

  • Their activities pose a significant risk as they seek fresh and private datasets, rejecting public or unsolicited data. This suggests an intent to exploit the acquired information for malicious purposes, potentially leading to fraud, identity theft, or unauthorized access to financial systems. The actor’s preference for long-term cooperation with hacker teams and the focus on obtaining data from Mexico and Indonesia in particular highlights an ongoing and organized effort to breach sensitive information for substantial financial or operational gain.

  • This ongoing activity, combined with their willingness to pay for tested samples, indicates a growing threat to Mexican individuals and organizations.

Amantedelacomida1990

  • The user 'Amantedelacomida1990' has been active on the underground forum 'BreachForums_v2,' posing a significant threat by targeting sensitive Mexican data. They claim to possess a database with over 38 million national phone numbers from various regions in Mexico, as well as a database from the National Electoral Institute (INE), which includes highly sensitive personal details such as names, addresses, and identification numbers. This data is being offered for sale, posing a direct risk to Mexican citizens and their personal security.

  • In addition, 'Amantedelacomida1990' has sought cooperation with national database programmers in Mexico to create or enhance national databases for both Mexico and the United States, which suggests a broader and more organized effort to acquire and manipulate sensitive data. The actor has also expressed interest in gaining access to the IMSS (Instituto Mexicano del Seguro Social) database, further increasing the threat to national and institutional security in Mexico.

  • Although their forum account has been banned for violating the English-only policy, their actions indicate a persistent attempt to acquire, exploit, and commercialize critical data, creating risks of identity theft, fraud, and unauthorized access to vital national records.

Sccccd77e7

  • The threat actor 'sccccd77e7' has been actively selling compromised data from breaches of Mexican companies on the underground forum BreachForums. They have claimed responsibility for multiple data breaches, including one involving Sánchez M. y Asociados, an accounting firm, from which they obtained emails, spreadsheets, employee and customer databases, property files, investments, personal and company documents, and invoices. This breach, reportedly occurring in July 2024, is being offered for sale for a modest price of 20 USD, indicating the actor’s willingness to offload highly sensitive data cheaply.

  • 'sccccd77e7' also claims to possess a data breach from Corporativo Sando, a construction company based in Monterrey, Mexico. The breach allegedly includes 87,000 emails and 19,000 attachments, alongside confidential financial information, customer and supplier data, and access to external systems. The actor is accepting payments in Monero (XMR) cryptocurrency, adding a layer of anonymity to the transactions and making it more difficult to track or reverse.

  • The repeated attacks targeting Mexican firms suggest that 'sccccd77e7' is systematically targeting organizations with a wealth of sensitive information, and the public offering of such data raises the risks of identity theft, corporate espionage, financial fraud, and exposure of confidential business dealings.

Injectioninferno

  • The threat actor 'injectioninferno' has been actively targeting Mexican citizen and bank data on the underground forum 'BreachForums_v2.' They claim to possess a wide range of sensitive information, including a database containing 1.8 million Mexican citizen records. Despite offering a download link, reports suggest the file is corrupted, diminishing the credibility of the post.

  • 'injectioninferno' has also offered leads on multiple Mexican banks, claiming to hold personal information of bank customers, such as names, addresses, and phone numbers. They have provided a sample of the data to entice potential buyers and have offered an escrow service for secure transactions, signaling a structured approach to data selling.

  • Additionally, 'injectioninferno' is offering a database of 250,000 WhatsApp user records from Mexico, including phone numbers and location information. This data is being sold through Telegram, where they are promoting further discussions with buyers.

  • The activities of 'injectioninferno' pose a severe threat to the financial security and privacy of Mexican citizens, as the sale of sensitive banking and communication data can lead to widespread fraud, identity theft, and other malicious activities. Their efforts to secure transactions using an escrow service also highlight the professionalism behind these operations, increasing the risk to individuals and institutions across Mexico.

Sirdr

  • The threat actor 'sirdr' has been actively sharing and selling compromised Mexican data on the underground forum 'leakbase.io.' They claim to possess several datasets, including a database of 231,000 Mexican phone numbers, though they admit that the data contains a mix of valid and invalid numbers. This raises concerns about the accuracy of the data but still presents a risk of fraudulent activity targeting the valid numbers.

  • Additionally, 'sirdr' has offered a database of 5,000 email addresses and associated passwords from Mexico, likely obtained through credential stuffing or phishing attacks. The availability of these credentials increases the risk of account takeovers and other forms of cyberattacks against individuals and organizations.

  • In another post, 'sirdr' is offering a database containing 58,000 Mexican email addresses and passwords, which is being provided for free to the forum community. This widespread distribution of sensitive information for free amplifies the threat to Mexican users, as malicious actors can exploit this data for various nefarious purposes, including identity theft, unauthorized access, and financial fraud.

  • The consistent sharing of sensitive information by 'sirdr' highlights an ongoing risk to Mexican citizens, with stolen credentials and personal information being made easily accessible to a wider range of threat actors.

Conclusion

The recent surge in cyberattacks and hacktivist activities across Mexico underscores a critical need for enhanced cybersecurity measures across multiple sectors. The diverse range of threats—from targeted protests and data breaches to illegal arms sales—reveals the growing sophistication and impact of cybercriminal activities. Diplomatic, financial, educational, and governmental institutions have all been affected, each facing unique challenges and risks.

The activities of groups like "Ghosts of Palestine" and RipperSec have not only disrupted operations but also compromised sensitive data, potentially leading to significant financial, operational, and security repercussions. Additionally, the illegal sale of firearms through online platforms highlights a broader issue of cybersecurity extending into physical security realms.

To mitigate these risks, it is imperative for organizations and government agencies to strengthen their cybersecurity frameworks, adopt proactive threat detection and response strategies, and foster collaboration between sectors to address emerging threats effectively. The protection of sensitive data and infrastructure is crucial to maintaining operational stability and public trust in the face of escalating cyber threats.

Recommendations and Suggestions

  • Strengthen Cybersecurity Measures
    • Implement Advanced Threat Detection: Deploy sophisticated threat detection systems to identify and mitigate potential attacks before they can cause significant damage.
    • Regular Security Audits: Conduct regular security assessments and penetration testing to identify vulnerabilities and address them promptly.

  • Enhance Incident Response Capabilities
    • Develop Incident Response Plans: Create and regularly update comprehensive incident response plans to ensure swift and effective action in the event of a cyberattack.
    • Conduct Simulation Exercises: Regularly practice response to various types of cyber incidents through simulations and tabletop exercises to improve readiness.

  • Improve Data Protection and Privacy
    • Encrypt Sensitive Data: Use encryption to protect sensitive data both in transit and at rest to prevent unauthorized access.
    • Implement Access Controls: Apply strict access control measures and ensure that only authorized personnel have access to critical information.

  • Increase Awareness and Training
    • Employee Training Programs: Regularly train employees on cybersecurity best practices, including recognizing phishing attempts and other social engineering attacks.
    • Public Awareness Campaigns: Engage in public awareness campaigns to educate citizens and organizations about potential cyber threats and preventive measures.

  • Enhance Regulatory Compliance
    • Adhere to Regulations: Ensure compliance with relevant cybersecurity regulations and standards to safeguard against legal and financial repercussions.
    • Stay Updated on Legislation: Keep abreast of changes in cybersecurity laws and regulations to ensure ongoing compliance.

  • Invest in Cybersecurity Technology
    • Adopt Cutting-Edge Solutions: Invest in advanced cybersecurity technologies such as artificial intelligence and machine learning to enhance threat detection and response capabilities.
    • Upgrade Legacy Systems: Replace outdated systems with modern, secure alternatives to reduce vulnerabilities and improve overall security posture.

  • Address Physical Security Concerns
    • Secure Physical Access: Implement robust physical security measures to protect critical infrastructure and data centers from unauthorized access and tampering.
    • Monitor Physical Assets: Use surveillance and monitoring technologies to ensure the security of physical assets related to cybersecurity.

By implementing these recommendations, organizations and institutions can better protect themselves against the evolving landscape of cyber threats, safeguard sensitive data, and ensure the continuity of their operations.

References

CloudSEK’s flagship digital risk monitoring platform XVigil contains a module called “Underground Intelligence” which provides information about the latest Adversary, Malware, and Vulnerability Intelligence, gathered from a wide range of sources, across the surface web, deep web, and dark web.