MobileIron’s Enterprise Mobile Device Management (MDM), a solution used to manage fleets of mobile devices, is under attack by cybercriminals. Recently, several threat actors were seen targeting bugs in MobileIron servers and attempting to orchestrate intrusions inside company networks.
Exploiting bugs in MobileIron
The exploitation of MobileIron’s bugs started in September when a security researcher named Orange Tsai published Proof-of-Concepts (PoCs) and other details about vulnerabilities. He claimed to gain access to internal Facebook systems by abusing one of these vulnerabilities.
Tsai's blog post enabled other security researchers to create public PoC exploits for CVE-2020-15505, the most dangerous of the three bugs.
The vulnerabilities in MobileIron Core and Connector versions were disclosed in July when the company validated and released patches to address these vulnerabilities.
Who is attacking?
Threat actors ranging from DDoS botnets to Chinese state-sponsored hacking groups have been observed exploiting three severe vulnerabilities (CVE-2020-15505, CVE-2020-15506, and CVE-2020-15507) in MobileIron’s MDM.
In mid-October, BlackArrow released a report regarding a threat actor attempting to hack into MobileIron MDM systems to deliver and install the Kaiten (aka Tsunami) DDoS malware.
At the beginning of October, RiskIQ researchers detected the first attack wave of active exploitation attempts against MobileIron systems.
In a recent alert, NSA has added the MobileIron vulnerability (CVE-2020-15505) as the most dreadful of the three bugs in the top 25 vulnerabilities under attack by Chinese state-sponsored hackers.
The RCE vulnerability CVE-2020-15505 has turned out to be one of the most dangerous security flaws. Considering it as a gateway bug, MDM servers are likely to remain under attack with DDoS malware and other malware for the foreseeable future. Therefore, experts recommend organizations perform frequent security audits of their MobileIron MDM servers, their mobile devices, and internal networks.