A month after details were published about three severe vulnerabilities in a type of server used to manage fleets of mobile devices, multiple threat actors are now exploiting these bugs to take over crucial enterprise servers and even orchestrate intrusions inside company networks.
The targets of these attacks are MDM servers from software maker MobileIron.
MDM stands for Mobile Device Management. MDM systems are used inside enterprises to allow companies to manage employees’ mobile devices, by allowing system administrators to deploy certificates, apps, access-control lists, and wipe stolen phones from a central server.
In order to enforce these features, MDM servers need to be online all the time and reachable over the internet, so remote employees’ phones can report back to the company and get the latest updates.
Three major bugs discovered in MobileIron MDMs
Earlier this summer, a security researcher named Orange Tsai discovered three major vulnerabilities in MobileIron’s MDM solutions, which he reported to the vendor, and which the company patched in July.
But Tsai never released in-depth details about any of the three bugs, allowing companies to update their systems.
However, many did not. Tsai eventually published a detailed write-up about the three bugs in September, after he used one of the bugs to hack into Facebook’s MDM server and pivot to the company’s internal network as part of Facebook’s bug bounty program.
Exploitation begins after PoC is published on GitHub
But Tsai’s blog post also had some unintended consequences. Other security researchers used the details in his blog to create public proof-of-concept (PoC) exploits for CVE-2020-15505, the most dangerous of the three bugs that Tsai discovered over the summer.
This PoC exploit was later released on GitHub and made available to other security researchers and penetration testers, but also to attackers.
And just like all the times before when someone released a PoC for a dangerous bug on GitHub, attacks followed within days.
The first wave took place at the start of October and was detected by RiskIQ researchers.
Not that much is known about these attacks, as RiskIQ never went into details, but a report from BlackArrow, published on October 13, breaks down a threat actor’s attempts to hack into MobileIron MDM systems and install the Kaiten DDoS malware.
But if companies thought that getting their MDM server infected with DDoS malware was the worst thing that could happen, they thought wrong.
Today, the US National Security Agency (NSA) listed the MobileIron CVE-2020-15505 as one of the top 25 vulnerabilities exploited by Chinese state-sponsored hackers in recent months.
The NSA said Chinese threat actors have been using the MobileIron bug, along with many others, to gain an initial foothold on internet-connected systems, and then pivot to internal networks.
Companies urged to patch
With MobileIron boasting that more than 20,000 companies use its MDM solutions, including many Fortune 500 companies, this vulnerability is shaping to be one of the most dangerous security flaws disclosed this year.
With such a huge installbase, MobileIron MDM servers are likely to remain under attack for the foreseeable future.
But at this point in time, patching is only half of the job. Companies must also perform security audits of their MobileIron MDM servers, their mobile devices, and internal networks.
This is because CVE-2020-15505 can be considered a gateway bug. Once exploited, intruders can use this bug to take over the entire MDM server and then deploy malware on mobile devices connected to the MDM server or access the company’s internal network, to which the MDM server is likely to be connected.