Suspected state-sponsored hackers and cybercriminals are trying to exploit a five-month-old vulnerability in popular mobile device management software to target a range of U.K. organizations in the local government, health, logistics and legal sectors, the British government warned Monday.
Organizations use the affected software to manage mobile devices from a central server, “making them a valuable target for threat actors,” the U.K.’s National Cyber Security Centre (NCSC) said in a security advisory. By breaking into the mobile device management (MDM) software, snoops could selectively steal information from mobile devices communicating with the MDM server. Some of the exploitations have been successful, the NCSC said without elaborating.
The NCSC did not name any foreign governments suspected to be behind the activity. It was also unclear what type of health care organizations were targeted.
The NCSC declined to comment.
The advisory is part of a consistent effort by the U.K. and U.S. governments to blunt the impact of foreign espionage campaigns aimed at American and British companies. Sometimes, the advisories are more explicit. The National Security Agency and FBI in August publicized a hacking tool allegedly used by Russian military intelligence to target Linux systems.
In this case, the critical flaw exists in MDM software made by MobileIron, a Silicon Valley company with offices on multiple continents. MobileIron issued a fix for the remote-code execution bug in June, urging customers to apply it. But exploitation of the vulnerability has picked up since September, when researchers released a proof-of-concept exploit, according to the NCSC.
MobileIron estimated in October that “90-95%” of devices were running updated software, free of the flaw. But that still could leave vulnerable devices of value to state and criminal attackers.
The NCSC advisory is a reminder of the immense value that access to MDM software hold for attackers. An unrelated hacking campaign revealed in 2018 targeted just 13 iPhones in India by using an open-source MDM server to inject malicious code into mobile apps.